That's hard to pinpoint. I'm only involved with the security side so when
we do see an event like this, we rarely (if ever) receive intimate details
on the perpetrating hardware. We alert the local network warlord to the
outbreak and request they squash the insurgence. It also depends on the
"infection". Slammer is usually quite aggressive and even a 500/min spike
setting will still generate hundreds of alerts by the time someone can deal
with patient zero. We still run the single event signature for Blaster in
parallel with the spike alert in case a less powerful event steps into the
game.
Scott H.
-----Original Message-----
From: Matt Jonkman [mailto:matt@infotex.com]
Sent: Monday, December 13, 2004 10:32 AM
To: Hazel, Scott A.
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] TCP sweeps
Good to know this idea has some value, thanks.
I'm concerned about 500/minute though. Specifically in the case of a worm
infected workstation. I've seen them so loaded by the worm that they can
barely get one or two connections initiated a second. I'm concerned we'd
miss the underpowered workstation infections. Several of the poorly written
recent worms opened so many threads this was the case even on well powered
machines.
In practice are you seeing the average machine go well over 500/minute in an
infection?
Matt
Hazel, Scott A. wrote:
We have dealt with similar issues here using Dragon. I know the
platform is different but we applied the same approach. I called them
spike alerts and started closer to 500 in 60 seconds. For segments
containing MS DC's, setting it as low as 50 still gave us a high FP
rate. Seems like non-DC segments would be fine at 50/min.
Scott Hazel
Security Operations Center
Unisys
scott.hazel@unisys.com
smime.p7s
Description: S/MIME cryptographic signature
