Re: [logs] nimda web server logs

From: Sweth Chandramouli (loganalysisat_private)
Date: Tue Jun 18 2002 - 22:15:13 PDT

Next message: Eric Vanborren: "Re: [logs] How are you analysing logs now?"

Previous message: Sweth Chandramouli: "Re: [logs] OT: 'Automated Log Analysis'"
In reply to: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 15, 2002 at 12:01:02PM +0200, wolfgangat_private wrote:
> Nimda attack. Key differences are apparently:
> - First request is always a GET for /galaxy_XXXXX.XXXX
> - the nimda-ish requests that follow are actually not GET but HEAD
> - there are a few (GET-)requests for /NULL.printer, NULL.ida and NULL.idq
>   thrown in as well.
	Cool; this kind of clarity in descriptions makes it very
easy to see what is and isn't relevant in the data set.  I'd agree that
this is Nimda-ish, but not Nimda, and probably not what Tina was seeing,
either.  Has anyone else seen these traits in a scan using directory
traversal exploits?

	-- Sweth.

-- 
Sweth Chandramouli      Idiopathic Systems Consulting
svcat_private      http://www.idiopathic.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Eric Vanborren: "Re: [logs] How are you analysing logs now?"
Previous message: Sweth Chandramouli: "Re: [logs] OT: 'Automated Log Analysis'"
In reply to: wolfgangat_private: "Re: [logs] nimda web server logs"
Next in thread: Lewis E. Wolfgang: "Re: [logs] nimda web server logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:41:15 PDT