[Snort-users] LaBrea escalates event volume

Bill McCarty bmccarty at ...5196...
Mon Mar 18 18:29:04 EST 2002

Hi Chris,

I don't think that the port 80 stuff is CodeRed or similar. Here's why.

When I turn off my custom rules, I don't get all that many alerts. However, 
I do get an occasional CodeRed. I conclude that, if the packets were 
CodeRed, I'd continue getting a high volume of alerts when I turn off my 
custom rules. But, the volume goes down by a order of magnitude. So, I 
figure they're not CodeRed. Does that make sense?

Looking at packet logs, I see stuff like "GET /dddddddddddddddddddddddd". I 
take these for intended buffer overflows. But, they generally seem way too 
short to do the job. Mind you, I have little experience with IIS and don't 
currently run any IIS boxes. So, perhaps I'm overstating its resistance to 
such apparently puny requests.

But, even if I'm wrong and it is CodeRed or similar traffic, aren't I 
seeing too many of them? BTW, they're not coming from my network 
neighborhood. A goodly number come from Europe or Asia/Pacific. Many of the 
IP addresses are not resolvable by DNS.

You're right that most of the destination hosts are mere phantoms created 
by LaBrea.


--On Monday, March 18, 2002 8:15 PM -0500 Chris Green <cmg at ...1935...> 

> Bill McCarty <bmccarty at ...5196...> writes:
>> Hi James,
>>> From what I can make out, these are typical scans and probes. If
>>> they're at
>> all unusual, they're unusual in volume, not characteristics.
>> The majority -- perhaps 75% -- are TCP connections to port 80. A large
>> minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then,
>> we have the usual 21, 22, 111, 443, et cetera, making up the balance.
>> I chose to write custom alerts against these events because an attempt
>> to access a non-existent host on a private network seemed to me to be
>> at least somewhat hostile. The volume of non-custom Snort alerts that
>> I see does not seem more than that reported by others.
> Ok knowing they are custom rules causes a lot less eyebrows to raise
> up ;-)
> 75% are probably code red/nimda ( these machines have no webservers
> correct? )
> 10% are probably ping sweeps
> and the rest are the sweeps we all know and love <sigh>
> --
> Chris Green <cmg at ...1935...>
> You now have 14 minutes to reach minimum safe distance.

Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University

More information about the Snort-users mailing list