On Wed, 01 Aug 2001 11:52:09 -0400 Chris Brenton <cbrentonat_private> wrote: > Alfred Huger wrote: > > > > > > Alot of the people mailing me last night and this morning were sending > > firewall logs, not IDS logs. I'm one of them. > > Agreed again. No packet decode, no confirmed hit. Otherwise we'll be > looking at greatly skewed numbers. Using that criteria I could claim > 14K+ Code Red infected systems back in April (oh wait, Code Red was not > even around yet... ;). > I aso agree the we can not be certain that these are CR probes without IDS fingerprints. That said my data (from argus logs) measuring SYN packets to non existant/firewalled machines shows and expoential increase starting at midnight UTC and now I am seeing over 40,000 individual ips probing on port 80. Starting at ^:35 (utc + 1200) I am also seeing hits on the snort .ida rules ( 70 in the last half hour). All very odd!! Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 12:49:21 PDT