VP Engineering SecurityFocus.com "Vae Victis" ---------- Forwarded message ---------- Date: Wed, 1 Aug 2001 12:31:30 -0400 (EDT) From: Ken Eichman <keichmanat_private> To: handlerat_private, jullrichat_private, certat_private, certat_private, marcat_private, vickiat_private, nipc.watchat_private, alanpallerat_private, ahat_private Cc: keichmanat_private, krichardsonat_private Subject: explanation Okay just to explain where I'm getting the numbers. Like last go-around, I'm recording tcp header info for all inbound traffic to our class-b address space on our IDS. Thowing out our 'valid' http traffic I'm left with the bogus. It could be superfluous misinformation thrown in to the http traffic to skew/hide/whatever; HEADS, GET x, whatever. We have 25 internet-accessible web servers; I quickly checked most and do not see any increase in that type of traffic to any of them. Backing up the header data, I'm getting packet data captures from snort on the IDS when a code red probe targets specific addresses. I cannot do that for every single bogus http probe because most of them target non-existant/unpopulated IP addresses. As of 12:00 EDT I've logged 331582 "bogus http requests", up from 648 yesterday, and I've logged 101 confirmed code red probes, up from zero the previous week. Just to be clear there are some assumptions that could be made either way with these numbers. Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichmanat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 09:41:22 PDT