[Dshield] Code Red Data Collection.

Joseph Shraibman jks at selectacast.net
Tue Aug 7 00:49:02 GMT 2001


If the virus writer is smart they will ignore a redirect.  Are you sure
this will work?

"Johannes B. Ullrich" wrote:
> 
> Is easier... we just log everything that goes to
> 'feeds.dshield.org/default.ida' and use our apache access_log/error_log to
> analyze the data.
> 
> make sure you 'redirect' to it and don't just access the url yourself.
> 
> On Thu, 2 Aug 2001, Jay Wren wrote:
> 
> >
> > The CGI would really only need to be created once.  Preferably at dshield,
> > and then apache directives applied like so:
> >
> > #<Location /pathto/default.ida*>
> > #    Deny from all
> > #    ErrorDocument 403
> > http://trapserver.dshield.org/default.ida_abuse_log.cgi
> > #</Location>
> >
> > > -----Original Message-----
> > > From: Tim Winders [mailto:twinders at SPC.cc.tx.us]
> > > Sent: Wednesday, August 01, 2001 10:49 PM
> > > To: dshield at dshield.org
> > > Subject: Re: [Dshield] Code Red Data Collection.
> > >
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I like that idea!  Anybody up for it???
> > >
> > >      **********************************************
> > >         Tim Winders, MCSE, CNE, CCNA
> > >         Associate Dean of Information Technology
> > >         South Plains College
> > >         Levelland, TX  79336
> > >
> > >         Phone:      806-894-9611 x 2369
> > >         FAX:        806-894-1549
> > >         Email:      TWinders at SPC.cc.tx.us
> > >      **********************************************
> > >
> > >
> > > On Wed, 1 Aug 2001, Joseph Shraibman wrote:
> > >
> > > > Perhpas a cgi could be created that would send a mail to
> > > dshield every
> > > > time someone tried to access default.ida?
> > > >
> > > > Johannes B. Ullrich wrote:
> > > >
> > > > > Ok. I try to kick up ISP notification for this beast 'up
> > > a notch'.
> > > > > As in this case, regular web server access logs make a
> > > great IDS, I
> > > > > setup a special DShield import system for them.
> > > > >
> > > > > If you mail relevant log lines to 'redalert at dshield.org'
> > > they will
> > > > > be processed by this separate system. The idea is to come
> > > up with a
> > > > > list of IPs and notify ISPs/hosting providers of it once a day or
> > > > > so.
> > > > >
> > > > > Please indicate in the subject line what kind of web
> > > server was used
> > > > > to collect the log.
> > > > >
> > > > > Here the one line Unix shell script to submit logs:
> > > > >
> > > > > grep 'default.ida?NNNNN' *access_log | mail -s 'APACHE'
> > > > > redalert at dshield.org
> > > > >
> > > > > Please spread the word ;-)
> > > > >
> > > > >   Johannes.
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Joseph Shraibman
> > > > jks at selectacast.net
> > > > Increase signal to noise ratio.  http://www.targabot.com
> > > >
> > > > _______________________________________________
> > > > Dshield mailing list
> > > > Dshield at dshield.org
> > > > To change your subscription options (or unsubscribe), see:
> > > > http://www1.dshield.org/mailman/listinfo/dshield
> > > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.0.6 (OSF1)
> > > Comment: Made with pgp4pine 1.76
> > >
> > > iEYEARECAAYFAjtov4gACgkQTPuHnIooYbyCxgCeLksVpJk6Q3hYGR9pZPZAvwoN
> > > NMUAn2lZGK7BwOGaqEK3svzDgGlbv2y9
> > > =Y3W8
> > > -----END PGP SIGNATURE-----
> > >
> > >
> > > _______________________________________________
> > > Dshield mailing list
> > > Dshield at dshield.org
> > > To change your subscription options (or unsubscribe), see:
> > > http://www1.dshield.org/mailman/listinfo/dshie> ld
> > >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
> >
> 
> --
> -------
> jullrich at sans.org                    Join http://www.DShield.org
>                                      Distributed Intrusion Detection System
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

-- 
Joseph Shraibman
jks at selectacast.net
Increase signal to noise ratio.  http://www.targabot.com




More information about the list mailing list