[Dshield] Tracking and Reporting Probes

Bill McCarty bmccarty at apu.edu
Sat Mar 30 03:48:53 GMT 2002


Hi Clint,

I have two Snort rules for LaBrea traffic, which generate alerts for TCP 
connection attempts and incoming UDP packets:

> alert tcp  any any -> $PHANTOM any (flags:S+; msg:"Local: LaBrea";
> classtype:misc-activity; sid:3000021; rev:1; priority:2;)
>
> alert udp  any any -> $PHANTOM any (msg:"Local: LaBrea";
> classtype:misc-activity; sid:3000021; rev:1; priority:2;)

The variable $PHANTOM is defined as a list of unused IP addresses, which 
are available to LaBrea.

I've logged 842 of these packets today, which has been a very light day. 
Apparently, attackers celebrate Good Friday in some fashion. This puzzles 
me significantly.

Cheers,

--On Friday, March 29, 2002 11:48 AM -0800 Clint Byrum <cbyrum at erp.com> 
wrote:

> I fooled around and created a dshield reporter for my snort
> logs that are stored in MySQL/pgsql. What I found though, was that this
> info was not as easy to classify as "attack going here to here" and
> would have reported *my* IP addresses as the source of attacks. Are you
> filtering exclusively for just a few types of snort alerts?

---------------------------------------------------
Bill McCarty




More information about the list mailing list