[Dshield] Code Red Data Collection.

Johannes B. Ullrich jullrich at euclidian.com
Thu Aug 2 19:35:06 GMT 2001


Is easier... we just log everything that goes to
'feeds.dshield.org/default.ida' and use our apache access_log/error_log to
analyze the data.

make sure you 'redirect' to it and don't just access the url yourself.

On Thu, 2 Aug 2001, Jay Wren wrote:

>
> The CGI would really only need to be created once.  Preferably at dshield,
> and then apache directives applied like so:
>
> #<Location /pathto/default.ida*>
> #    Deny from all
> #    ErrorDocument 403
> http://trapserver.dshield.org/default.ida_abuse_log.cgi
> #</Location>
>
> > -----Original Message-----
> > From: Tim Winders [mailto:twinders at SPC.cc.tx.us]
> > Sent: Wednesday, August 01, 2001 10:49 PM
> > To: dshield at dshield.org
> > Subject: Re: [Dshield] Code Red Data Collection.
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I like that idea!  Anybody up for it???
> >
> >      **********************************************
> >         Tim Winders, MCSE, CNE, CCNA
> >         Associate Dean of Information Technology
> >         South Plains College
> >         Levelland, TX  79336
> >
> >         Phone:	806-894-9611 x 2369
> >         FAX:	806-894-1549
> >         Email:	TWinders at SPC.cc.tx.us
> >      **********************************************
> >
> >
> > On Wed, 1 Aug 2001, Joseph Shraibman wrote:
> >
> > > Perhpas a cgi could be created that would send a mail to
> > dshield every
> > > time someone tried to access default.ida?
> > >
> > > Johannes B. Ullrich wrote:
> > >
> > > > Ok. I try to kick up ISP notification for this beast 'up
> > a notch'.
> > > > As in this case, regular web server access logs make a
> > great IDS, I
> > > > setup a special DShield import system for them.
> > > >
> > > > If you mail relevant log lines to 'redalert at dshield.org'
> > they will
> > > > be processed by this separate system. The idea is to come
> > up with a
> > > > list of IPs and notify ISPs/hosting providers of it once a day or
> > > > so.
> > > >
> > > > Please indicate in the subject line what kind of web
> > server was used
> > > > to collect the log.
> > > >
> > > > Here the one line Unix shell script to submit logs:
> > > >
> > > > grep 'default.ida?NNNNN' *access_log | mail -s 'APACHE'
> > > > redalert at dshield.org
> > > >
> > > > Please spread the word ;-)
> > > >
> > > >   Johannes.
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Joseph Shraibman
> > > jks at selectacast.net
> > > Increase signal to noise ratio.  http://www.targabot.com
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www1.dshield.org/mailman/listinfo/dshield
> > >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (OSF1)
> > Comment: Made with pgp4pine 1.76
> >
> > iEYEARECAAYFAjtov4gACgkQTPuHnIooYbyCxgCeLksVpJk6Q3hYGR9pZPZAvwoN
> > NMUAn2lZGK7BwOGaqEK3svzDgGlbv2y9
> > =Y3W8
> > -----END PGP SIGNATURE-----
> >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www1.dshield.org/mailman/listinfo/dshie> ld
> >
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
>

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System





More information about the list mailing list