[Snort-users] LaBrea escalates event volume

Chris Green cmg at ...1935...
Mon Mar 18 20:14:05 EST 2002


Bill McCarty <bmccarty at ...5196...> writes:

> Hi Chris,
>
> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
>
> When I turn off my custom rules, I don't get all that many
> alerts. However, I do get an occasional CodeRed. I conclude that, if
> the packets were CodeRed, I'd continue getting a high volume of alerts
> when I turn off my custom rules. But, the volume goes down by a order
> of magnitude. So, I figure they're not CodeRed. Does that make
> sense?

Do these machines have webservers on them?  If they don't, you're not
going to see the successful TCP connections.. Though if they do have
webservers, I have no answer.

-- 
Chris Green <cmg at ...1935...>
This is my signature. There are many like it but this one is mine.





More information about the Snort-users mailing list