Snort mailing list archives

Previous By Date Next
Previous By Thread Next

LaBrea escalates event volume

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 18 Mar 2002 10:23:38 -0800
I recently deployed LaBrea and added Snort rules that generate alerts when a foreign host interacts with a LaBrea phantom host. I've been amazed at the amount of associated traffic.
LaBrea only tarpits a host every few seconds. But, I see 4,000-10,000 attempted connections per hour against the phantom hosts. These don't appear to be a concerted attack by one or a few individuals. The IP addresses are quite varied and don't seem to reappear often. I'm simply getting hit from everywhere. 

Q: Is this sort of event volume typical of the Internet these days?
I run a small academic lab with 24 workstations and a few servers. We're reasonably secure at this point; so, I don't think we present a target of opportunity. And, I can't imagine why we'd be a target of choice.
Problem is, Snortsnarf can't handle this volume of alerts. We're talking hundreds of megabytes of log files daily. I'd prefer to continue logging the events and reporting them to Dshield.org. But, to do so, I'd have to craft filter scripts that omit the LaBrea records from the Snortsnarf analysis, or something of that sort. 

Q: Anyone been there and done that, or otherwise coped with this problem?

Cheers,


---------------------------------------------------
Bill McCarty

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: