10 May
2017
10 May
'17
1:34 p.m.
On Wed, May 10, 2017 at 11:26 AM, Brian Kantor <Brian(a)ucsd.edu> wrote:
I'm just trying to brainstorm ways you could reduce the number of
false positives...
Maybe instead of counting packets, you could count TCP open requests.
While >1000 packets per minute might be totally normal for an FTP
transfer session, 1000 TCP open requests to unroutable addresses is
much more abnormal.
Tom KD7LXL
Have you
inspected the contents at all to see if there are similarities?
Yes. The majority of the packets are TCP open requests with no data,
mostly to ports 23 and 80.