[Dshield] Detecting Code Red Scans

Chew, Freeland (Roanoke) FChew at ecpi.edu
Sat Aug 4 20:14:50 GMT 2001


 
Tim wrote:

 My IDS (Cisco Secure) is not detecting the host scans from infected = 
  machines.  I can see the default.ida?NNN stuff but I think that is the 
  second stage (infection).  I need to see the port 80 scans regardless of
  whether they are scanning MS boxes.  Any assistance will be repaid
with good Karma. 

  Tim 


One way is to put a router Access Control List on outbound traffic at
that specifically allows that traffic but logs it to a syslog server.

Depending on the nature of your traffic, you might even be able to block
outbound traffic to port 80 from the IIS box.  It seems to me that there
are few situuations where an IIS machine would need to have a
destination port of 80.

Buddy

-----Original Message-----
From: dshield-request at dshield.org
To: dshield at dshield.org
Sent: 8/4/01 12:01 PM
Subject: Dshield digest, Vol 1 #174 - 1 msg

Send Dshield mailing list submissions to
	dshield at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www1.dshield.org/mailman/listinfo/dshield
or, via email, send a message with subject or body 'help' to
	dshield-request at dshield.org

You can reach the person managing the list at
	dshield-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. How Do You Detect Code Red Host Scans (Tim Dwayne Southard)

--__--__--

Message: 1
From: "Tim Dwayne Southard" <tim.southard at starband.net>
To: <dshield at dshield.org>
Date: Thu, 2 Aug 2001 18:41:27 -0400
Subject: [Dshield] How Do You Detect Code Red Host Scans
Reply-To: dshield at dshield.org

This is a multi-part message in MIME format.

------=_NextPart_000_001C_01C11B82.BD1D0A60
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

My IDS (Cisco Secure) is not detecting the host scans from infected =
machines.  I can see the default.ida?NNN stuff but I think that is the =
second stage (infection).  I need to see the port 80 scans regardless of
=
whether they are scanning MS boxes.  Any assistance will be repaid with
=
good Karma.

Tim

------=_NextPart_000_001C_01C11B82.BD1D0A60
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#d8d0c8>
<DIV><FONT face=3DArial size=3D2>My IDS (Cisco Secure) is not detecting
=
the host=20
scans from infected machines.&nbsp; I can see the default.ida?NNN stuff
=
but I=20
think that is the second stage (infection).&nbsp; I need to see the port
=
80=20
scans regardless of whether they are scanning MS boxes.&nbsp; Any =
assistance=20
will be repaid with good Karma.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Tim</FONT></DIV></BODY></HTML>

------=_NextPart_000_001C_01C11B82.BD1D0A60--



--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www1.dshield.org/mailman/listinfo/dshield


End of Dshield Digest


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************




More information about the list mailing list