[Snort-users] LaBrea escalates event volume

Bill McCarty bmccarty at ...5196...
Mon Mar 18 21:52:03 EST 2002


Hi Chris,

Ahh! I see where I've failed to explain fully.

LaBrea is tricky. Its phantom hosts _do_ complete a 3-way TCP handshake 
with an attacker. So, even though these IPs have no associated web server, 
an attempt to connect to port 80 -- or whatever port the attackers is using 
-- via TCP succeeds. That's why I'm able to inspect the logged packets.

Cheers,

--On Monday, March 18, 2002 11:13 PM -0500 Chris Green <cmg at ...1935...> 
wrote:

> Bill McCarty <bmccarty at ...5196...> writes:
>
>> Hi Chris,
>>
>> I don't think that the port 80 stuff is CodeRed or similar. Here's why.
>>
>> When I turn off my custom rules, I don't get all that many
>> alerts. However, I do get an occasional CodeRed. I conclude that, if
>> the packets were CodeRed, I'd continue getting a high volume of alerts
>> when I turn off my custom rules. But, the volume goes down by a order
>> of magnitude. So, I figure they're not CodeRed. Does that make
>> sense?
>
> Do these machines have webservers on them?  If they don't, you're not
> going to see the successful TCP connections.. Though if they do have
> webservers, I have no answer.

---------------------------------------------------
Bill McCarty




More information about the Snort-users mailing list