[Snort-users] LaBrea escalates event volume

Chris Green cmg at ...1935...
Mon Mar 18 17:16:20 EST 2002


Bill McCarty <bmccarty at ...5196...> writes:

> Hi James,
>
>> From what I can make out, these are typical scans and probes. If
>> they're at
> all unusual, they're unusual in volume, not characteristics.
>
> The majority -- perhaps 75% -- are TCP connections to port 80. A large
> minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then,
> we have the usual 21, 22, 111, 443, et cetera, making up the balance.
>
> I chose to write custom alerts against these events because an attempt
> to access a non-existent host on a private network seemed to me to be
> at least somewhat hostile. The volume of non-custom Snort alerts that
> I see does not seem more than that reported by others.

Ok knowing they are custom rules causes a lot less eyebrows to raise
up ;-)

75% are probably code red/nimda ( these machines have no webservers
correct? )

10% are probably ping sweeps

and the rest are the sweeps we all know and love <sigh>
-- 
Chris Green <cmg at ...1935...>
You now have 14 minutes to reach minimum safe distance.





More information about the Snort-users mailing list