Chris, A couple of quick questions for clarification... > So far, we've yet to determine even the most basic stuff First, if you don't even have "the most basic stuff", how do you know that this was a DoS attack? Could it have been a network outage, perhaps from the ISP? Second, by definition, a probe and a DoS attack are two wildly disparate events. > is there any tool to determine the source IPs of the > attack (even if they're spoofed, I'm not sure that you're really aware of what you're asking. > Snort sits on the attacked host and happily reports > SQL/Slammer and other trivial stuff, but goes through > one of the attacks without picking any signatures up. Snort takes action based on it's signatures...therefore, this "attack" would not have been logged if the signatures for it were not in the snort config file. I'm very interested to see what information you can provide on this event, to show that it was, in fact, a DoS attack. Thanks, Harlan __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 07:58:05 PDT