[Dshield] IIS Logs

Jim Tagart Jim.Tagart at bellcold.com
Fri Mar 29 04:44:17 GMT 2002


	Jeff>Mine fills up rapidly with all the code red/nimda scans.  It
seems like it
would make sense to send in everything with a 404 and a cmd.exe footprint.

Howdy Jeff,

My little parser tool is currently looking for these not nice things to
request...

/winnt|cmd.exe|default.ida|worm.com|root.exe|ctleq.asp|msadc|owssrv.dll|shtm
l.exe|formmail/ 


It does generate some false positives if someone inside searches Google say
for instance 'winnt' but it's pretty rare to lookup the above list, unless
it's me.

I run Apache so those above requests are definetly not friendly.

I am 'almost' ready to send raptag beta testers, all 15 counting myself, the
version of raptag.pl that can read in Snort .rules files for reporting bad
things.  http://www.tagartengineering.com/raptag.html  Why not use a
top-notch IDS's signatures to help analyze firewall logs.  

Every angle helps.

http://www.snort.org 
Snort is great.

Jim

> -----Original Message-----
> From:	Jeff Miller [SMTP:jrm.wa at verizon.net]
> Sent:	Thursday, March 28, 2002 7:20 PM
> To:	list at dshield.org
> Subject:	[Dshield] IIS Logs
> 
> Is anybody sending in IIS logs?
> 
> Mine fills up rapidly with all the code red/nimda scans.  It seems like it
> would make sense to send in everything with a 404 and a cmd.exe footprint.
> 
> Or am I smoking crack <again>?
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list