[Snort-sigs] TCP sweeps
Hazel, Scott A.
Scott.Hazel at ...2928...
Mon Dec 13 07:45:16 EST 2004
That's hard to pinpoint. I'm only involved with the security side so when
we do see an event like this, we rarely (if ever) receive intimate details
on the perpetrating hardware. We alert the local network warlord to the
outbreak and request they squash the insurgence. It also depends on the
"infection". Slammer is usually quite aggressive and even a 500/min spike
setting will still generate hundreds of alerts by the time someone can deal
with patient zero. We still run the single event signature for Blaster in
parallel with the spike alert in case a less powerful event steps into the
From: Matt Jonkman [mailto:matt at ...2436...]
Sent: Monday, December 13, 2004 10:32 AM
To: Hazel, Scott A.
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] TCP sweeps
Good to know this idea has some value, thanks.
I'm concerned about 500/minute though. Specifically in the case of a worm
infected workstation. I've seen them so loaded by the worm that they can
barely get one or two connections initiated a second. I'm concerned we'd
miss the underpowered workstation infections. Several of the poorly written
recent worms opened so many threads this was the case even on well powered
In practice are you seeing the average machine go well over 500/minute in an
Hazel, Scott A. wrote:
>We have dealt with similar issues here using Dragon. I know the
>platform is different but we applied the same approach. I called them
>spike alerts and started closer to 500 in 60 seconds. For segments
>containing MS DC's, setting it as low as 50 still gave us a high FP
>rate. Seems like non-DC segments would be fine at 50/min.
>Security Operations Center
>scott.hazel at ...2928...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6457 bytes
Desc: not available
More information about the Snort-sigs