[Dshield] IIS Logs
Jim.Tagart at bellcold.com
Fri Mar 29 04:44:17 GMT 2002
Jeff>Mine fills up rapidly with all the code red/nimda scans. It
seems like it
would make sense to send in everything with a 404 and a cmd.exe footprint.
My little parser tool is currently looking for these not nice things to
It does generate some false positives if someone inside searches Google say
for instance 'winnt' but it's pretty rare to lookup the above list, unless
I run Apache so those above requests are definetly not friendly.
I am 'almost' ready to send raptag beta testers, all 15 counting myself, the
version of raptag.pl that can read in Snort .rules files for reporting bad
things. http://www.tagartengineering.com/raptag.html Why not use a
top-notch IDS's signatures to help analyze firewall logs.
Every angle helps.
Snort is great.
> -----Original Message-----
> From: Jeff Miller [SMTP:jrm.wa at verizon.net]
> Sent: Thursday, March 28, 2002 7:20 PM
> To: list at dshield.org
> Subject: [Dshield] IIS Logs
> Is anybody sending in IIS logs?
> Mine fills up rapidly with all the code red/nimda scans. It seems like it
> would make sense to send in everything with a 404 and a cmd.exe footprint.
> Or am I smoking crack <again>?
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list