[Snort-sigs] TCP sweeps
matt at ...2436...
Mon Dec 13 07:34:03 EST 2004
Good to know this idea has some value, thanks.
I'm concerned about 500/minute though. Specifically in the case of a
worm infected workstation. I've seen them so loaded by the worm that
they can barely get one or two connections initiated a second. I'm
concerned we'd miss the underpowered workstation infections. Several of
the poorly written recent worms opened so many threads this was the case
even on well powered machines.
In practice are you seeing the average machine go well over 500/minute
in an infection?
Hazel, Scott A. wrote:
>We have dealt with similar issues here using Dragon. I know the platform is
>different but we applied the same approach. I called them spike alerts and
>started closer to 500 in 60 seconds. For segments containing MS DC's,
>setting it as low as 50 still gave us a high FP rate. Seems like non-DC
>segments would be fine at 50/min.
>Security Operations Center
>scott.hazel at ...2928...
More information about the Snort-sigs