[Snort-users] LaBrea escalates event volume
the_saint_james at ...131...
Mon Mar 18 14:08:15 EST 2002
> I recently deployed LaBrea and added Snort rules that generate alerts when
> a foreign host interacts with a LaBrea phantom host. I've been amazed at
> the amount of associated traffic.
> LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000
> attempted connections per hour against the phantom hosts. These don't
> appear to be a concerted attack by one or a few individuals. The IP
> addresses are quite varied and don't seem to reappear often. I'm simply
> getting hit from everywhere.
What is the nature of these "4,000-10,000 attempted connections per hour
against the phantom hosts" ? (ie what port, exploit, ect)
More information about the Snort-users