[Dshield] Code Red Data Collection.

Jay Wren JRWren at advnetworks.com
Thu Aug 2 14:20:19 GMT 2001


The CGI would really only need to be created once.  Preferably at dshield,
and then apache directives applied like so:

#<Location /pathto/default.ida*>
#    Deny from all
#    ErrorDocument 403
http://trapserver.dshield.org/default.ida_abuse_log.cgi
#</Location>

> -----Original Message-----
> From: Tim Winders [mailto:twinders at SPC.cc.tx.us] 
> Sent: Wednesday, August 01, 2001 10:49 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] Code Red Data Collection.
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I like that idea!  Anybody up for it???
> 
>      **********************************************
>         Tim Winders, MCSE, CNE, CCNA
>         Associate Dean of Information Technology
>         South Plains College
>         Levelland, TX  79336
> 
>         Phone:	806-894-9611 x 2369
>         FAX:	806-894-1549
>         Email:	TWinders at SPC.cc.tx.us
>      **********************************************
> 
> 
> On Wed, 1 Aug 2001, Joseph Shraibman wrote:
> 
> > Perhpas a cgi could be created that would send a mail to 
> dshield every 
> > time someone tried to access default.ida?
> >
> > Johannes B. Ullrich wrote:
> >
> > > Ok. I try to kick up ISP notification for this beast 'up 
> a notch'. 
> > > As in this case, regular web server access logs make a 
> great IDS, I 
> > > setup a special DShield import system for them.
> > >
> > > If you mail relevant log lines to 'redalert at dshield.org' 
> they will 
> > > be processed by this separate system. The idea is to come 
> up with a 
> > > list of IPs and notify ISPs/hosting providers of it once a day or 
> > > so.
> > >
> > > Please indicate in the subject line what kind of web 
> server was used 
> > > to collect the log.
> > >
> > > Here the one line Unix shell script to submit logs:
> > >
> > > grep 'default.ida?NNNNN' *access_log | mail -s 'APACHE' 
> > > redalert at dshield.org
> > >
> > > Please spread the word ;-)
> > >
> > >   Johannes.
> > >
> > >
> > >
> >
> >
> > --
> > Joseph Shraibman
> > jks at selectacast.net
> > Increase signal to noise ratio.  http://www.targabot.com
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> > http://www1.dshield.org/mailman/listinfo/dshield
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (OSF1)
> Comment: Made with pgp4pine 1.76
> 
> iEYEARECAAYFAjtov4gACgkQTPuHnIooYbyCxgCeLksVpJk6Q3hYGR9pZPZAvwoN
> NMUAn2lZGK7BwOGaqEK3svzDgGlbv2y9
> =Y3W8
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshie> ld
> 




More information about the list mailing list