[Snort-users] LaBrea escalates event volume
cmg at ...1935...
Mon Mar 18 20:14:05 EST 2002
Bill McCarty <bmccarty at ...5196...> writes:
> Hi Chris,
> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
> When I turn off my custom rules, I don't get all that many
> alerts. However, I do get an occasional CodeRed. I conclude that, if
> the packets were CodeRed, I'd continue getting a high volume of alerts
> when I turn off my custom rules. But, the volume goes down by a order
> of magnitude. So, I figure they're not CodeRed. Does that make
Do these machines have webservers on them? If they don't, you're not
going to see the successful TCP connections.. Though if they do have
webservers, I have no answer.
Chris Green <cmg at ...1935...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-users