While poking around in my logs following Code Red I started noticing that there were no entries indicating any attempts. Not fully believing this I went ahead and got Snort back up and running and waited 10 min and I already had 17 hits. After thinking a bit I came to the conclusion that the cause for this is host headers. Now, how this applies to future vulnerabilities is this: most of these script based attacks generate random IPs, so if you use host headers even if only one site is present it would require a name to tell the web server which dir to send the request to. Not sure how effective this would be against Unicode type exploits, but I feel it would have helped with CR. Should be able to accomplish the same thing with Apache too..... Any thoughts or experiences? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:29:44 PDT