[Dshield] help identify IIS log entry

John Hardin johnh at aproposretail.com
Tue Mar 25 23:41:05 GMT 2003

On Tue, 2003-03-25 at 12:05, Mrcorp wrote:
> I run 2 different Honeynets on different ISPs with different connections and therefore get logs of
> hundreds of different attacks.  I have packet captures in ethereal and SNORT (MYSQL) formats.  I
> also have IIS logs up the (you know what).  If there is anything I can do to help get this off the
> ground, let me know.  I can also do other spelcific logging on the honeynets upon request.

What I'd like to see is a set of signature specs - ethereal, snort,
apache logfile regexes, IIS logfile regexes, etc. - and an email address
to send the logs to.

Perhaps the email address could classify them, perhaps it'd be different
email addresses for different attacks (e.g. redalert at dshield.org,
iiswebdav at dshield.org, etc.) - that depends on what Johannes wants to

Then these reports could be massaged the way we're currently doing
firewall logs, to identify attacker and attack, notify ISPs and
responsible parties, generate pretty pitchers, and so forth.

John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 58 days until The Matrix Reloaded

More information about the list mailing list