[Snort-sigs] TCP sweeps

Matt Jonkman matt at ...2436...
Mon Dec 13 07:34:03 EST 2004

Good to know this idea has some value, thanks.

I'm concerned about 500/minute though. Specifically in the case of a 
worm infected workstation. I've seen them so loaded by the worm that 
they can barely get one or two connections initiated a second. I'm 
concerned we'd miss the underpowered workstation infections. Several of 
the poorly written recent worms opened so many threads this was the case 
even on well powered machines.

In practice are you seeing the average machine go well over 500/minute 
in an infection?


Hazel, Scott A. wrote:

>We have dealt with similar issues here using Dragon.  I know the platform is
>different but we applied the same approach. I called them spike alerts and
>started closer to 500 in 60 seconds.  For segments containing MS DC's,
>setting it as low as 50 still gave us a high FP rate.  Seems like non-DC
>segments would be fine at 50/min. 
>Scott Hazel
>Security Operations Center
>scott.hazel at ...2928...

More information about the Snort-sigs mailing list