Ganu Skop wrote: > > I'm looking into something that should say something > like "sensor #1 attack has been detected by sensor #2 > a month ago with a same source IP, including its > severity and prediction." > Done that myself on our distributed snort network. Thought it'd be a good way of spotting someone having a go at us as a *company* - instead of as an arbitrary host. Unfortunately, what I primarily found out was that CodeRed moves faster than you imagine. I saw the same hosts hitting 64.* addresses one day, and 204.* addresses the next - not a bad turnaround on scanning the entire Internet... I had high hopes that it'd be a useful tool with low False Positives - but the world is not so easy these days... Still useful - but not a "killer app" type thing. Jason _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue May 20 2003 - 10:26:30 PDT