Greetings All, I have been watching the probe rate on port 80 and .ida attacks with interest since the shutdown of Code Red II at the beginning of the month. Initially we saw a sharp drop in the number of addresses doing random probes to port 80 and an almost complete absence of .ida probes logged by snort. Then a very slow increase in .ida probes (the ones padded with "NNN"). Over the last few days the .ida probe rate is has risen from one or two per day to approximately 1 per hour across our network and the overall probe rate has risen from around 1500 different source IPs per hour to 1800. The original code red is definitely still alive and spreading, abiet slowly. There is one thing that puzzles me: snort (1.8.1) sometimes logs an alert for '.ida attempt' but does not log any packet and in some cases I have not been able to find the log entries in the web server logs. This suggests that something odd is breaking in snort. I have posted a query on the snort_users mailing list but have not had any response. Any ideas? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 10:46:50 PDT