[Dshield] Suspect HTTP-activity

Johannes B. Ullrich jullrich at sans.org
Sat Jan 24 04:07:15 GMT 2004


> > Any DShield-like service that collects apache-logs? ;-)
> 
> Dshield does some, they are thinking about doing more. I'll let Johannes
> fill in the details.

Yes. its one of many projects. I would like to collect more
apache logs, but have to work out some logistic issues (how to
fund such a collection), and technical issues.

I believe web logs are of real interest. We do get a good number
of 'anecdotal' reports about scanning for weak cgi scripts, 
or even targeted 'google-ing' for servers that run them.

One problem is privacy. At this point, we do not collect any
payload. While we treat the target IP address as confidential,
we don't have to apply much filters to the remaining data.

Web logs are different. Even if I hide the host name of the
system the logs come from, it is possible that a URL with
username / password makes it into the collection. And manual
review of these logs wouldn't be feasible. We would have
to come up with a more generalize classification of logs.

Ideally, I would just like to collect error logs from web
sites. But everyone that is running a busy web site knows
that they can get large, and are full of 'false positives'
like typos or outdated URLs people have bookmarked.


-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040123/8727cae7/attachment.bin


More information about the list mailing list