[Snort-users] LaBrea escalates event volume
cmg at ...1935...
Mon Mar 18 17:16:20 EST 2002
Bill McCarty <bmccarty at ...5196...> writes:
> Hi James,
>> From what I can make out, these are typical scans and probes. If
>> they're at
> all unusual, they're unusual in volume, not characteristics.
> The majority -- perhaps 75% -- are TCP connections to port 80. A large
> minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then,
> we have the usual 21, 22, 111, 443, et cetera, making up the balance.
> I chose to write custom alerts against these events because an attempt
> to access a non-existent host on a private network seemed to me to be
> at least somewhat hostile. The volume of non-custom Snort alerts that
> I see does not seem more than that reported by others.
Ok knowing they are custom rules causes a lot less eyebrows to raise
75% are probably code red/nimda ( these machines have no webservers
10% are probably ping sweeps
and the rest are the sweeps we all know and love <sigh>
Chris Green <cmg at ...1935...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-users