[Dshield] help identify IIS log entry

Paul Chambers dshield at lists.bod.org
Wed Mar 26 17:12:39 GMT 2003


> From: Johannes Ullrich
> Sent: Tuesday, March 25, 2003 5:57 PM
>
> For now, and to get started on this, lets just send logs to 
> 'webdav at dshield.org'. I will not add them to a database, but
> just use a couple grep scripts to get them organized. IIS or
> Apache logs are fine.

Any thoughts on the longer term, Johannes?

Just out of curiosity, what proportion of the logs submitted are from
Snort? If snort has already identified the exploit from its fingerprint,
seems like a shame to throw the info away. Could another field be added
to the database to hold this?

Could it make it easier to spot the rise of a new exploit? A rise in
'unidentified' exploits might be more easily identified amongst the
noise generated by the old ones...

I would be very interested to see the percentages of the different
scanners, worms, etc. active out there, which isn't always obvious from
the target port alone.

Paul



More information about the list mailing list