Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Attacks vs Probes

From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Fri, 15 Apr 2005 13:14:25 -0400
We all have our opinions on whether to classify TCP Syns to filtered or
closed ports as attack attempts or harmless portscans.

Is there anyone on the list who has been running a very promiscuous
honeypot, and who might be able to offer some statistics on the percentages
of Syns that are connection initiations for attacks attempts versus those
that are just portscans with no payload besides information gathering?

I recognize that opinions will still vary about how to classify an attack
attempt that gets killed at the Syn stage, and about whether worm activity
constitutes an attack. But I think the statistics might provide some
interesting insights, especially if they can be compared to any similar
analysis from past years.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: