[Dshield] help identify IIS log entry

John Hardin johnh at aproposretail.com
Wed Mar 26 16:37:53 GMT 2003

On Tue, 2003-03-25 at 17:56, Johannes Ullrich wrote:
> For now, and to get started on this, lets just send logs to 'webdav at dshield.org'. 
> I will not add them to a database, but just use
> a couple grep scripts to get them organized. IIS or Apache logs are
> fine.

Sample from /etc/logrotate.d/apache:

  /var/log/httpd/access_log {
    rotate 8
      egrep '"GET .*\.ida\?' /var/log/httpd/access_log |
         mail -s 'APACHE' redalert at dshield.org root at localhost
      egrep '"GET .*\/msadc\/' /var/log/httpd/access_log |
         mail -s 'MSADC' root at localhost
/var/log/httpd/access_log |
         mail -s 'WebDAV' webdav at dshield.org root at localhost
        /usr/bin/killall -HUP httpd 2> /dev/null || true

(probably some wrapping to clean up before use...)

John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
 57 days until The Matrix Reloaded

More information about the list mailing list