Re: Warning -- floods of Allaple worm alerts.... sid:200329(2-5)

You still seeing those numbers of hits Russel?

Have you tried pinging some of the sources at random to see if they're
legit or spoofed?

Matt

Russell Fulton wrote:
> Hi
> 
> Over the last 24 hours we have had about 50 sources fire 20 million ping
> packets containing the string that triggers the Allaple signature.  The
> only affect it has has is to gum up my snort database.   I don't believe
> this is worm traffic and if is a ddos it is pretty feeble.  It was
> however a fairly effective dos against my snort system -- two sensors
> saw this traffic so that's a total of over 40 million events in the
> database.  :(
> 
> I have now disabled all those rules and am (slowly) deleting all the
> records from the data base.   Can I suggest that these rules be disabled
> by default with a comment saying why.
> 
> Anyone got any idea why this traffic was sent (I doubt if they were
> really trying to attack my snort system).   They have sent enough
> traffic to random addresses to map our network 200 times over.
> 
> Russell.
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc