[Dshield] Re: Dshield digest, Vol 1 #196 - 12 msgs
blilly at erols.com
Thu Aug 9 18:58:29 GMT 2001
> Date: Wed, 8 Aug 2001 17:50:16 -0400
> From: "Taps" <Taps at Iniquity.Org>
> To: <dshield at dshield.org>
> Subject: [Dshield] New To List, Few Questions.
> Reply-To: dshield at dshield.org
> I do have the ability to send that information to a syslog port
> somewhere, and I am currently using Kiwi's SyslogD for Windows to
> monitor that router.
The registered version of that software is probably OK, but the
unregistered version may drop syslog packets if more than 25
arrive in a row.
> After watching the route for a few minutes, I am making a guess that I
> am blocking between 5 and 6 requests a second to random IP addresses on
> port 80. None of these are published anywhere as valid HTTP servers.
> Noticing that they are all comign from the same ip addresses in a row, I
> am led to believe that they are Code Red infected computers searching
> for more victims. When opening the Ips in a browser, I am seeing that
> they are all coming from IIS servers.
> What I am wondering is if there is a client for Dshield.Org that will
> interpret the syslogd logs to use. I am not able to write a client to
> do so. Is anyone else in a similar situation?
Kiwi's syslogd prepends 4 fields to whatever the sender sends.
What do typical log entries look like?
More information about the list