[Snort-users] LaBrea escalates event volume

james the_saint_james at ...131...
Mon Mar 18 14:08:15 EST 2002


> I recently deployed LaBrea and added Snort rules that generate alerts when
> a foreign host interacts with a LaBrea phantom host. I've been amazed at
> the amount of associated traffic.
>
> LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000
> attempted connections per hour against the phantom hosts. These don't
> appear to be a concerted attack by one or a few individuals. The IP
> addresses are quite varied and don't seem to reappear often. I'm simply
> getting hit from everywhere.
>

What is the nature of these "4,000-10,000 attempted connections per hour
against the phantom hosts" ? (ie what port, exploit, ect)

james





More information about the Snort-users mailing list