[Dshield] Code Red Data Collection.

Jeff Huber jeff at am.net
Thu Aug 2 03:23:37 GMT 2001


Okay. I've already got an AOLserver Tcl script that's stuffing all
/default.ida?NNN requests into a database with hostIP, attack time, etc. I'd
like to send all these db entries to you instead of my logfile snipets. 

What format what you like the data in?

How about an email with the contents being a pipe delimited message of the
format: attackerIP|attackTime. So it'd look like format:

Subject: amnet Code Red attempts to propogate between 2001-08-01 11:00:00 to
2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00
64.42.93.1|2001-08-01 11:00:00

If this is okay with you I'm going to send my script to other AOLserver
users.

Jeff


> -----Original Message-----
> From: Johannes B. Ullrich [mailto:jullrich at euclidian.com]
> Sent: Wednesday, August 01, 2001 4:47 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] Code Red Data Collection.
> 
> 
> 
> Thinking about that... For now, you can send your http log 
> snipplets to
> codered at dshield.org .
> 
> On Wed, 1 Aug 2001, Joseph Shraibman wrote:
> 
> > Perhpas a cgi could be created that would send a mail to 
> dshield every
> > time someone tried to access default.ida?
> >
> > Johannes B. Ullrich wrote:
> >
> > > Ok. I try to kick up ISP notification for this beast 'up a notch'.
> > > As in this case, regular web server access logs make a great IDS,
> > > I setup a special DShield import system for them.
> > >
> > > If you mail relevant log lines to 'redalert at dshield.org' they will
> > > be processed by this separate system. The idea is to come up with
> > > a list of IPs and notify ISPs/hosting providers of it once a day
> > > or so.
> > >
> > > Please indicate in the subject line what kind of web server was
> > > used to collect the log.
> > >
> > > Here the one line Unix shell script to submit logs:
> > >
> > > grep 'default.ida?NNNNN' *access_log | mail -s 'APACHE' 
> redalert at dshield.org
> > >
> > > Please spread the word ;-)
> > >
> > >   Johannes.
> > >
> > >
> > >
> >
> >
> >
> 
> -- 
> -------
> jullrich at sans.org                    Join http://www.DShield.org
>                                      Distributed Intrusion 
> Detection System
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> 




More information about the list mailing list