Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: LaBrea escalates event volume

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 18 Mar 2002 21:51:20 -0800
Hi Chris,

Ahh! I see where I've failed to explain fully.
LaBrea is tricky. Its phantom hosts _do_ complete a 3-way TCP handshake with an attacker. So, even though these IPs have no associated web server, an attempt to connect to port 80 -- or whatever port the attackers is using -- via TCP succeeds. That's why I'm able to inspect the logged packets. 

Cheers,
--On Monday, March 18, 2002 11:13 PM -0500 Chris Green <cmg () sourcefire com> wrote: 


Bill McCarty <bmccarty () apu edu> writes:


Hi Chris,

I don't think that the port 80 stuff is CodeRed or similar. Here's why.

When I turn off my custom rules, I don't get all that many
alerts. However, I do get an occasional CodeRed. I conclude that, if
the packets were CodeRed, I'd continue getting a high volume of alerts
when I turn off my custom rules. But, the volume goes down by a order
of magnitude. So, I figure they're not CodeRed. Does that make
sense?


Do these machines have webservers on them?  If they don't, you're not
going to see the successful TCP connections.. Though if they do have
webservers, I have no answer.


---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: