[Snort-users] LaBrea escalates event volume

Bill McCarty bmccarty at ...5196...
Mon Mar 18 21:52:03 EST 2002

Hi Chris,

Ahh! I see where I've failed to explain fully.

LaBrea is tricky. Its phantom hosts _do_ complete a 3-way TCP handshake 
with an attacker. So, even though these IPs have no associated web server, 
an attempt to connect to port 80 -- or whatever port the attackers is using 
-- via TCP succeeds. That's why I'm able to inspect the logged packets.


--On Monday, March 18, 2002 11:13 PM -0500 Chris Green <cmg at ...1935...> 

> Bill McCarty <bmccarty at ...5196...> writes:
>> Hi Chris,
>> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
>> When I turn off my custom rules, I don't get all that many
>> alerts. However, I do get an occasional CodeRed. I conclude that, if
>> the packets were CodeRed, I'd continue getting a high volume of alerts
>> when I turn off my custom rules. But, the volume goes down by a order
>> of magnitude. So, I figure they're not CodeRed. Does that make
>> sense?
> Do these machines have webservers on them?  If they don't, you're not
> going to see the successful TCP connections.. Though if they do have
> webservers, I have no answer.

Bill McCarty

More information about the Snort-users mailing list