[Dshield] help identify IIS log entry

Johannes Ullrich jullrich at euclidian.com
Wed Mar 26 17:56:37 GMT 2003


> Any thoughts on the longer term, Johannes?

lots... no time so far to implement any of them :-/

> Just out of curiosity, what proportion of the logs submitted are from
> Snort? If snort has already identified the exploit from its fingerprint,
> seems like a shame to throw the info away. Could another field be added
> to the database to hold this?

Well, I do still have this snort plugin around someplace that sends in
the full packet. I would prefer not to log whatever signature got
attached by snort as this is frequently customized.


> Could it make it easier to spot the rise of a new exploit? A rise in
> 'unidentified' exploits might be more easily identified amongst the
> noise generated by the old ones...

yes. 

> I would be very interested to see the percentages of the different
> scanners, worms, etc. active out there, which isn't always obvious from
> the target port alone.



-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the list mailing list