Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ICMP PING CyberKit 2.2 Windows

From: JP Vossen <vossenjp () netaxs com>
Date: Thu, 21 Aug 2003 17:17:31 -0400 (EDT)
From: "Mike Feetham" <mike.feetham () percepta-crm com>
To: <snort-users () lists sourceforge net>
Subject: RE: [Snort-users] RE: ICMP PING CyberKit 2.2 Windows
Date: Wed, 20 Aug 2003 12:32:40 -0400

Between Monday and Tuesday we saw over 10,000 hits on our Class C.  =
Between yesterday and today that number dropped to about 3,000.  Today,
we're = not seeing any.  My only guess is that our ISPs are blocking them
= (Allstream, and Worldcom).  Has anyone else seen this behaviour?


As other posters have indicated, it has not slacked off elsewhere.  In fact,
my Snort/ACID honeypot numbers show it getting worse if anything!  This is on
my iDSL backup link, so we are talking about a small link in a broadband
IP segment, just to give an idea of proportion.

Note I am counting PACKETS here, *not* the CyberKit rule.  See the query
below.

<honeypot stats>
Date        Packets   Per_Hour  Est_Attacks
2003-08-01      13      0.54    6.50
2003-08-02      8       0.33    4.00
2003-08-03      11      0.46    5.50
2003-08-04      9       0.38    4.50
2003-08-05      47      1.96    23.50
2003-08-06      67      2.79    33.50
2003-08-07      11      0.46    5.50
2003-08-08      12      0.50    6.00
2003-08-09      12      0.50    6.00
2003-08-10      37      1.54    18.50
2003-08-11      768     32.00   384.00
2003-08-12      1698    70.75   849.00
2003-08-13      1142    47.58   571.00
2003-08-14      1218    50.75   609.00
2003-08-15      1097    45.71   548.50
2003-08-16      1009    42.04   504.50
2003-08-17      952     39.67   476.00
2003-08-18      2440    101.67  1220.00
2003-08-19      3989    166.21  1994.50
2003-08-20      4606    191.92  2303.00
2003-08-21      3235    190.29  1617.50

Current up to: 2003-08-21 17:10:16-0400
Note 1: Est_Attacks assumes 2 packets per attack. That is--an ESTIMATE!
Note 2: The last entry (time-to-present) is also a rough estimate...
<honeypot stats>

Note this is just an SQL query of an ACID table in a shell script.  I'll post
or e-mail the whole thing if anyone cares, but here's the guts:

...
START=${1:-2003-08-01}
END=${2:-`date +%Y-%m-%d`}
...
mysql snort <<SQL | tee daily.txt
SELECT DATE_FORMAT(timestamp, '%Y-%m-%d') AS Date,
COUNT(*) AS Packets, (COUNT(*)/24) AS Per_Hour, (COUNT(*)/2) AS Est_Attacks
FROM acid_event WHERE ((layer4_dport = 135 and ip_proto = 6) AND
(timestamp BETWEEN '${START}' AND '${END}')) GROUP BY Date;
SQL
...


Later,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|         jp{at}jpsdomain{dot}org
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: