OK..... I need some thoughts......

I came in this morning to significantly more Snort alerts than I would usually expect overnight and it rapidly became clear that they comprised basically 2 alerts and there was potential pattern. The alerts are WebDAV Search Access heavily indispersed with Evasive RST detection by the stream4 preprocessor.

Looking at the WhoIs of the various sources they are generating from the US, France but by far the most are from the Pacific Rim, (why is that not too surprising).

My problem is that I don't recognize this activity as an existing worm/skiddie tool, (and if it is someone please slap me...... )

Questions:

1. Is anyone else experiencing this type of traffic?
2. While there is something of a pattern to the events and it appears automated do you think it's worm or human initiated?


Attached is the logfiles of pertinent traffic. There is a probable unrelated event in there but I left it just in case and out of interest - It purports to be from the UN mission in Bosnia