Hi. I've written tool in Java which does the following: - listens on port 80 for incoming Code Red attacks - detects the Code Red attack signature and logs the attacker's IP, the attack URL, and the timestamp - periodically (every 100 requests or every 30 minutes, which ever comes first) sends the logs via SMTP to the email address(es) of your choice This is for those daring/curious people who aren't running a web server (or Snort) already, who feel like poking port 80/tcp open in their firewall and forwarding it to a machine running this honeypot. I've done this on my cable modem and I'm logging about 3 attacks per minute on a single IP address. I have my program configured to send mail to the ARIS email address <aris-reportat_private>. The log format is compatible with the SecurityFocus ARIS email notification format ( see http://www.securityfocus.com/templates/archive.pike?end=2001-08-11&list=1&mid=201907&threads=0&start=2001-08-05&fromthread=0 ), but the source code I've attached does not send email to the ARIS email address by default (check with ARIS first, then uncomment the ARIS recipient line in the source code). You can use this to send logs to your ISP, to yourself, to ARIS, to DShield.org (see program comments) or what have you. You need to change at least two lines in the source code: these are the lines which specify your email address and you SMTP server. If you want to add additional email recipients, it's a trivial change to the source code. The Java source file is attached to this email. It should be safe to open .java source files by default, but if you're wary of this sort of thing, let me know and I'll paste the source code into a new message. Chad Loder Rapid 7, Inc. Visit http://www.rapid7.com for the next generation of security products
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 22:10:53 PDT