[Snort-users] Some standards in my alerts

Joao Daniel Neves joaodanielnevesss at ...125...
Tue Apr 2 14:09:21 EDT 2013


Hi,

I have noticied a 'little standard' in my alerts. For example, my comapany have more than 1000 IP adress. 
I'm using BASE, when I make a filter to show only uniq IP's sources for a given alert, I can notice that 
a lot of alerts stop scanning my network when it reach about 700 scanned IPs. (700 diferents IP's destinations)
(In other generally one IP source give up scanning my network when it have scanned about 700 IP's)

 For example: 

IP X.Y.Z.K tried 717 IP's of my network. (The rule that's trigged it was traceroute ).
IP A.B.C.D tried 699 IP's of my network. (The rule that's trigged it was CyberKit Ping).

And a lot of other exemples like this. 

I wish to know if some guys around the world have noticed some thing like this.
 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130402/f316e44a/attachment.html>


More information about the Snort-users mailing list