[Snort-users] LaBrea escalates event volume

Bill McCarty bmccarty at ...5196...
Mon Mar 18 10:24:06 EST 2002

I recently deployed LaBrea and added Snort rules that generate alerts when 
a foreign host interacts with a LaBrea phantom host. I've been amazed at 
the amount of associated traffic.

LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000 
attempted connections per hour against the phantom hosts. These don't 
appear to be a concerted attack by one or a few individuals. The IP 
addresses are quite varied and don't seem to reappear often. I'm simply 
getting hit from everywhere.

Q: Is this sort of event volume typical of the Internet these days?

I run a small academic lab with 24 workstations and a few servers. We're 
reasonably secure at this point; so, I don't think we present a target of 
opportunity. And, I can't imagine why we'd be a target of choice.

Problem is, Snortsnarf can't handle this volume of alerts. We're talking 
hundreds of megabytes of log files daily. I'd prefer to continue logging 
the events and reporting them to Dshield.org. But, to do so, I'd have to 
craft filter scripts that omit the LaBrea records from the Snortsnarf 
analysis, or something of that sort.

Q: Anyone been there and done that, or otherwise coped with this problem?


Bill McCarty

More information about the Snort-users mailing list