Thu Nov 23 16:36:19 EST 2017
all unusual, they're unusual in volume, not characteristics.
The majority -- perhaps 75% -- are TCP connections to port 80. A large
minority -- perhaps 10% -- are ICMP, mainly pings and replies. Then, we
have the usual 21, 22, 111, 443, et cetera, making up the balance.
I chose to write custom alerts against these events because an attempt to
access a non-existent host on a private network seemed to me to be at least
somewhat hostile. The volume of non-custom Snort alerts that I see does not
seem more than that reported by others.
--On Monday, March 18, 2002 3:07 PM -0700 james <the_saint_james at ...131...>
>> I recently deployed LaBrea and added Snort rules that generate alerts
>> when a foreign host interacts with a LaBrea phantom host. I've been
>> amazed at the amount of associated traffic.
>> LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000
>> attempted connections per hour against the phantom hosts. These don't
>> appear to be a concerted attack by one or a few individuals. The IP
>> addresses are quite varied and don't seem to reappear often. I'm simply
>> getting hit from everywhere.
> What is the nature of these "4,000-10,000 attempted connections per hour
> against the phantom hosts" ? (ie what port, exploit, ect)
Bill McCarty, Ph.D.
Associate Professor of Web & Information Technology
School of Business and Management
Azusa Pacific University
More information about the Snort-users