[Dshield] IIS log

Richard Roy RoyR at justicetrax.com
Thu Aug 28 16:07:35 GMT 2003


That then begs the question, should we have a separate db for web server
logs to catch what gets thru?  A while back a dshielder had given me
some .asp pages which filtered the logs for nimbda and code red.  I have
unfortunately lost them.  The problem with the web logs, as I see it, is
the majority (hopefully) of the traffic is legitimate.  Therefor parsing
the logs could only really be done for known problems like code red,
nimbda, etc.  We'd need to have signature files like snort does for
every new thing to parse for and submit to dshield, and I don't know
that it is worth the effort.  Anyone else on this?

Rich

-----Original Message-----
From: Wayne Larmon [mailto:wlarmon at dshield.org] 
Sent: Thursday, August 28, 2003 8:53 AM
To: General DShield Discussion List
Subject: RE: [Dshield] IIS log



> Can I submit microsoft IIS log to teh dshield database?

We don't currently support IIS logs because our database is packet log
oriented.  i.e. source and target IPs and ports, protocols and flags.
Web server logs don't have this information.

> Is there a support email address I can email 'how to' questions?

info at dshield.org

> I'm not getting responses from the mailing list as I hoped and the 
> dshield.org web site does not have any contact information that I can 
> find.

I can't speak for the reponses you get from other mail list
participants, but you did make a good point that the 'info at dshield.org'
address should be more prominant on the site.  I'm in the process of
doing this now.

Wayne Larmon
DShield.org


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list