IIS logs -- A little off topic

["Portnoy, Gary" <gportnoy () belenosinc com>]

Hi there,

With all this CodeRed generated activity I just realized something:  If I am
using host headers in IIS, and somebody makes a connection to an IP address
and attempts to overflow the Index server, it isn't going to be logged
anywhere.  Each website residing on a computer has a unique host header and
is logging to a unique log directory.  I don't have a website associated to
the IP address, hence, even though the connection can be established (SYN,
SYN/ACK, ACK), the request will get an error.  This is both good and bad,
it's good in the respect that even though my servers could be vulnerable, if
you aren't including a host header in your request, you'll get an error, and
most scanners just use straight IP address.  It's bad in the respect that I
have no clue who is trying what against my server because it's not logging
it.  I noticed the similar behavior when sadmin worm was going around and it
would attempt to "GET x" to determine the type of the server.  Apache would
log it, but not IIS, though it had to do with the fact that for some reason
IIS doesn't like "GET x", it needs the '/'.  "GET /x" would be logged.  I
suspect this is a little different, but it's related to the fact that IIS
doesn't have a 'default' or 'error' log.  How are others dealing with this?

Whew,  that was a long post...

-Gary-

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com