[Dshield] Shorewall Parser and Apache Logs

Bogdan Stancescu mgv at fx.ro
Thu Nov 14 16:16:05 GMT 2002

Thanks - no, no problem, I run Apache on Linux, I'd actually have to try 
hard to serve the result of a DOS shell :)

My question was more related to the intrinsic nature of the request, and 
what I wanted to know was if there's a way to send such reports to dshield.


Shawn.Wilkerson at Firstdoor.com wrote:

>I would definitely consider them attacks. If you are running any MS IIS
>service running/installed, I would suggest you install MS's URLscan or
>IISlockdown tools. They'll intercept these attempts before IIS is able to
>execute the requests. Just an extra measure of precaution. FYI - the tools
>use text-based rules that aren't too difficult to configure once you've
>played with them a little, but the default setups from MS (no surprise) are
>not all-encompassing.
>-----Original Message-----
>From: Bogdan Stancescu [mailto:mgv at fx.ro]
>Sent: Thursday, November 14, 2002 10:12 AM
>To: list at dshield.org
>Subject: [Dshield] Shorewall Parser and Apache Logs
>Just in case my previous message doesn't make it to the list (I 
>inadvertently sent it from my other e-mail), here's a newbie question 
>for you: does anyone know if there's any Shorewall log parser for dshield?
>And here's another :) How about obvious attempts at http hacks? For 
>instance I get lots of such http requests lately (zillions of 
>variations, but it's obvious what they're trying): "GET 
>/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.1"
>Shouldn't these be considered attempted attacks as well, in spite of not 
>being logged by the firewall?

More information about the list mailing list