Re: I will start posting summaries.

[Ken Lyon <ken () vortexcorp com>]

Hi.
Just a note I might have missed in the message traffic:
Those using grep/etc looking for .ida? in the IIS Logs will be missing some entries.
These are also showing up with "?" replace by a "," and a leading _space_ for
the Ns - also the ending is different. A "," has been added after the "a"
in010801.log:206.128.108.248, -, 8/1/01, 14:41:53, W3SVC24, XXXXX, xxx.xxx.xxx.xxx, 750, 4039, 604, 404, 2, GET, 
/default.ida, NNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a,

Is IIS transposing this?
I have these in different logs:
.ida?NNN...
.ida, NNN...
.ida NNN...

This is just for the IIS logs.

I you use the SNORT Rules Jim Forester posted a bit ago, it _should_ get all
variations, yes?
alert tcp any any -> any 80 (msg: "CodeRed Defacement Detected"; flags: A+;
content: "|FF8B8D64 FEFFFF0F BE1185D2 7402EBD3|"; depth:64;)
alert tcp any any -> any 80 (msg: "CodeRed Overflow Detected"; dsize: >239;
flags: A+; content:"|2F646566 61756C74 2E696461 3F4E4E4E|"; depth:64;)

...ken
------------------------------------------------------------------
Ken Lyon
Network Operations Manager (NOM!) - Vortex Technologies, Inc.
http://ncoc.VortexCorp.com/cs/
Voice: +1 732.918.6004 / FAX: +1 732.918.6005
"..It don't mean a thing if you cain't get that Ping...."
Duke Ellington, 1932
-----------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com