I've seen an increase, but not near that scale. It would seem to be an
intentional thing.
Perhaps we need to threshold those sigs, maybe once every 5 minutes by
source. I'll do so.
Matt
Russell Fulton wrote:
> Hi
>
> Over the last 24 hours we have had about 50 sources fire 20 million ping
> packets containing the string that triggers the Allaple signature. The
> only affect it has has is to gum up my snort database. I don't believe
> this is worm traffic and if is a ddos it is pretty feeble. It was
> however a fairly effective dos against my snort system -- two sensors
> saw this traffic so that's a total of over 40 million events in the
> database. :(
>
> I have now disabled all those rules and am (slowly) deleting all the
> records from the data base. Can I suggest that these rules be disabled
> by default with a comment saying why.
>
> Anyone got any idea why this traffic was sent (I doubt if they were
> really trying to attack my snort system). They have sent enough
> traffic to random addresses to map our network 200 times over.
>
> Russell.
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
|
