[Dshield] IIS Logs
Johannes B. Ullrich
jullrich at sans.org
Fri Mar 29 04:32:42 GMT 2002
> Mine fills up rapidly with all the code red/nimda scans. It seems like it
> would make sense to send in everything with a 404 and a cmd.exe footprint.
We actually offered a client at one point to automate this
process. However, after the initial CR and Nimda surge and
sending out a few waves of notifications, I did see it more
as a distraction in the long run. As far as notifications go,
we hit most of them with our regular fightback system. Most
of the non-automatic replies we get point to Nimda/CR infections.
The real problem I see with focusing too much on code red is
that we may miss the next big thing, which could be an Apache/PHP
or SNMP worm. Neither would be detected using a Nimda/CR specific
The real hard problem is how to get rid of the remaining CR/Nimda
population. In my opinion, these machines are the greated threat
to the internet at this point. Turning them into DDOS networks
should be rather simple. We send out fightbacks like crazy, but
even as late as last week, I had a person dismiss a port 80 hit
as a regular web page access (1. why is a web server hitting random pages
if its not a search engine 2. why does the homepage have a 'readme.eml'
I think the existing firewall logs we get already show a good picture of
the extend of the Nimda problem. By focusing on collecting more regular
firewall/IDS logs, we will be able to improve on this and we will build a
better network to detect the next big thing.
People that are on this list from last July may remember the initial
frenzy, as a dshield subscriber was positioned just right to detect the
very first Code Red scans. Our fight back system provided a fast
confirmation that something big and bad is coming down the pipe.
I think the DShield concept did prove itself back then, even though we
where quite a bit smaller at the time.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list