[Dshield] Re: Dshield digest, Vol 1 #196 - 12 msgs

Bruce Lilly blilly at erols.com
Thu Aug 9 18:58:29 GMT 2001


> Date: Wed, 8 Aug 2001 17:50:16 -0400
> From: "Taps" <Taps at Iniquity.Org>
> To: <dshield at dshield.org>
> Subject: [Dshield] New To List, Few Questions.
> Reply-To: dshield at dshield.org
> 
[...]
> I do have the ability to send that information to a syslog port
> somewhere, and I am currently using Kiwi's SyslogD for Windows to
> monitor that router.

The registered version of that software is probably OK, but the
unregistered version may drop syslog packets if more than 25
arrive in a row.

[...]
> After watching the route for a few minutes, I am making a guess that I
> am blocking between 5 and 6 requests a second to random IP addresses on
> port 80.  None of these are published anywhere as valid HTTP servers.
> Noticing that they are all comign from the same ip addresses in a row, I
> am led to believe that they are Code Red infected computers searching
> for more victims.  When opening the Ips in a browser, I am seeing that
> they are all coming from IIS servers.
> 
> What I am wondering is if there is a client for Dshield.Org that will
> interpret the syslogd logs to use.  I am not able to write a client to
> do so.  Is anyone else in a similar situation?

Kiwi's syslogd prepends 4 fields to whatever the sender sends.

What do typical log entries look like?




More information about the list mailing list