Snort mailing list archives
RE: ICMP PING CyberKit 2.2 Windows
From: "Tony Bunce" <tonyb () go-concepts com>
Date: Fri, 22 Aug 2003 00:41:10 -0400
We are also getting lots of these you may want to watch your network as it appears that this is causing some major problems with TNT dialup boxes http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml has some info about it Apparently each one of those 91byte pings generates an arp request and some devices aren't handling such a large number of arp request too well Thanks, Tony B, CCNA, Network+ Systems Administration GO Concepts, Inc. / www.go-concepts.com Are you on the GO yet? What about those you know, are they on the GO? 513.934.2800 1.888.ON.GO.YET -----Original Message----- From: JP Vossen [mailto:vossenjp () netaxs com] Sent: Thursday, August 21, 2003 5:18 PM To: snort-users () lists sourceforge net Cc: mike.feetham () percepta-crm com Subject: RE: [Snort-users] ICMP PING CyberKit 2.2 Windows
From: "Mike Feetham" <mike.feetham () percepta-crm com> To: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows Date: Wed, 20 Aug 2003 12:32:40 -0400 Between Monday and Tuesday we saw over 10,000 hits on our Class C. = Between yesterday and today that number dropped to about 3,000.
Today,
we're = not seeing any. My only guess is that our ISPs are blocking
them
= (Allstream, and Worldcom). Has anyone else seen this behaviour?
As other posters have indicated, it has not slacked off elsewhere. In fact, my Snort/ACID honeypot numbers show it getting worse if anything! This is on my iDSL backup link, so we are talking about a small link in a broadband IP segment, just to give an idea of proportion. Note I am counting PACKETS here, *not* the CyberKit rule. See the query below. <honeypot stats> Date Packets Per_Hour Est_Attacks 2003-08-01 13 0.54 6.50 2003-08-02 8 0.33 4.00 2003-08-03 11 0.46 5.50 2003-08-04 9 0.38 4.50 2003-08-05 47 1.96 23.50 2003-08-06 67 2.79 33.50 2003-08-07 11 0.46 5.50 2003-08-08 12 0.50 6.00 2003-08-09 12 0.50 6.00 2003-08-10 37 1.54 18.50 2003-08-11 768 32.00 384.00 2003-08-12 1698 70.75 849.00 2003-08-13 1142 47.58 571.00 2003-08-14 1218 50.75 609.00 2003-08-15 1097 45.71 548.50 2003-08-16 1009 42.04 504.50 2003-08-17 952 39.67 476.00 2003-08-18 2440 101.67 1220.00 2003-08-19 3989 166.21 1994.50 2003-08-20 4606 191.92 2303.00 2003-08-21 3235 190.29 1617.50 Current up to: 2003-08-21 17:10:16-0400 Note 1: Est_Attacks assumes 2 packets per attack. That is--an ESTIMATE! Note 2: The last entry (time-to-present) is also a rough estimate... <honeypot stats> Note this is just an SQL query of an ACID table in a shell script. I'll post or e-mail the whole thing if anyone cares, but here's the guts: ... START=${1:-2003-08-01} END=${2:-`date +%Y-%m-%d`} ... mysql snort <<SQL | tee daily.txt SELECT DATE_FORMAT(timestamp, '%Y-%m-%d') AS Date, COUNT(*) AS Packets, (COUNT(*)/24) AS Per_Hour, (COUNT(*)/2) AS Est_Attacks FROM acid_event WHERE ((layer4_dport = 135 and ip_proto = 6) AND (timestamp BETWEEN '${START}' AND '${END}')) GROUP BY Date; SQL ... Later, JP ------------------------------|:::======|------------------------------- - JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org My Account, My Opinions |=========| http://www.jpsdomain.org/ ------------------------------|=========|------------------------------- - "The software said it requires Windows XP or better, so I installed Linux..." ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: RE: ICMP PING CyberKit 2.2 Windows, (continued)
- RE: RE: ICMP PING CyberKit 2.2 Windows Mike Feetham (Aug 20)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 20)
- Re: RE: ICMP PING CyberKit 2.2 Windows Michael Anderson (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Arvind Clemente (Aug 21)
- RE: RE: ICMP PING CyberKit 2.2 Windows Bryan Irvine (Aug 22)
- Re: RE: ICMP PING CyberKit 2.2 Windows Wes Zuber (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Jade E. Deane (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows Francis A. Vidal (Aug 25)
- RE: RE: ICMP PING CyberKit 2.2 Windows twig les (Aug 25)