|
|
|
|
|
|
by Joel_Mckay
237 days ago
|
|
|
In general, bots/worms/clowns will first check if a host/router is already infected or vulnerable to a shim. Thus, tripwires on those checks or URI often auto-ban infected/hostile hosts before a scan fully escalates to a successful payload. Note, people don't want a VM delta-snapshot of their zero-day around for automated analysis. 99.98% of hostile traffic simply reuse already published testing tools, or services like Shodan to target hosts. One shouldn't waste resources guessing the motives behind problem traffic. =3 |
|
|
You're back on prevention instead of detection, but also no: an attacker with valid creds isn't going to run other checks first before using them.
And yes: by volume, most attacks on the internet are just spam reusing published tools and IP lists. And that traffic is zero percent risky unless your auth is already busted.