On Wed, 01 Aug 2001 11:52:09 -0400 Chris Brenton <cbrentonaltenet.com>
wrote:

> Alfred Huger wrote:
> >
>
>
> > Alot of the people mailing me last night and this morning were sending
> > firewall logs, not IDS logs.

I'm one of them.

>
> Agreed again. No packet decode, no confirmed hit. Otherwise we'll be
> looking at greatly skewed numbers. Using that criteria I could claim
> 14K+ Code Red infected systems back in April (oh wait, Code Red was not
> even around yet... ;).
>
I aso agree the we can not be certain that these are CR probes without
IDS fingerprints. That said my data (from argus logs) measuring SYN
packets to non existant/firewalled machines shows and expoential
increase starting at midnight UTC and now I am seeing over 40,000
individual ips probing on port 80. Starting at ^:35 (utc + 1200) I am
also seeing hits on the snort .ida rules ( 70 in the last half hour).

All very odd!!

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]