[Dshield] Shorewall Parser and Apache Logs

Shawn.Wilkerson@Firstdoor.com Shawn.Wilkerson at Firstdoor.com
Thu Nov 14 15:40:11 GMT 2002


I would definitely consider them attacks. If you are running any MS IIS
service running/installed, I would suggest you install MS's URLscan or
IISlockdown tools. They'll intercept these attempts before IIS is able to
execute the requests. Just an extra measure of precaution. FYI - the tools
use text-based rules that aren't too difficult to configure once you've
played with them a little, but the default setups from MS (no surprise) are
not all-encompassing.

Shawn


-----Original Message-----
From: Bogdan Stancescu [mailto:mgv at fx.ro]
Sent: Thursday, November 14, 2002 10:12 AM
To: list at dshield.org
Subject: [Dshield] Shorewall Parser and Apache Logs


Hello!

Just in case my previous message doesn't make it to the list (I 
inadvertently sent it from my other e-mail), here's a newbie question 
for you: does anyone know if there's any Shorewall log parser for dshield?

And here's another :) How about obvious attempts at http hacks? For 
instance I get lots of such http requests lately (zillions of 
variations, but it's obvious what they're trying): "GET 
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.1"

Shouldn't these be considered attempted attacks as well, in spite of not 
being logged by the firewall?

TIA!

Bogdan

-- 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list