Hi. Just a note I might have missed in the message traffic: Those using grep/etc looking for .ida? in the IIS Logs will be missing some entries. These are also showing up with "?" replace by a "," and a leading _space_ for the Ns - also the ending is different. A "," has been added after the "a" in010801.log:206.128.108.248, -, 8/1/01, 14:41:53, W3SVC24, XXXXX, xxx.xxx.xxx.xxx, 750, 4039, 604, 404, 2, GET, /default.ida, NNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a, Is IIS transposing this? I have these in different logs: .ida?NNN... .ida, NNN... .ida NNN... This is just for the IIS logs. I you use the SNORT Rules Jim Forester posted a bit ago, it _should_ get all variations, yes? alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+; content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;) alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239; flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;) ...ken ------------------------------------------------------------------ Ken Lyon Network Operations Manager (NOM!) - Vortex Technologies, Inc. http://ncoc.VortexCorp.com/cs/ Voice: +1 732.918.6004 / FAX: +1 732.918.6005 "..It don't mean a thing if you cain't get that Ping...." Duke Ellington, 1932 ----------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:30:54 PDT