|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Attacks vs Probes
From: James C Slora Jr (Jim.Slora
phra.com)
Date: Fri Apr 15 2005 - 12:14:25 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We all have our opinions on whether to classify TCP Syns to filtered or
closed ports as attack attempts or harmless portscans.
Is there anyone on the list who has been running a very promiscuous
honeypot, and who might be able to offer some statistics on the percentages
of Syns that are connection initiations for attacks attempts versus those
that are just portscans with no payload besides information gathering?
I recognize that opinions will still vary about how to classify an attack
attempt that gets killed at the Syn stage, and about whether worm activity
constitutes an attack. But I think the statistics might provide some
interesting insights, especially if they can be compared to any similar
analysis from past years.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]