[Dshield] l httpd logs

Rick Leir rdshield at leirtech.com
Thu Jun 21 14:48:05 GMT 2007


> The big issue is that HTTP logs are so much larger than firewall logs,

The error log is smaller than the access log by orders of magnitude.
Unfortunately, it also shows errors due to mistakes by the people
putting up the web content.  These errors would cause a 'long tail'
effect if we tried to 'dshield' all our logs.

You mentioned connections to non-existent e-mail addresses, we could
'dshield' the mailserver logs.  First, seed the spammers with fake
addresses such as <notaname at domain.com> where domain.com is all the
dshield participants then scan the mail logs for this fake user.

Just an idea, but this could mushroom into a lot of work.

> Marc calls it: "We saw this, did it hurt?"

would you explain this pls?
cheers -- Rick



More information about the list mailing list