IDS mailing list archives
Web server response to attacks
From: Terry Ziemniak <terry.ziemniak () swc com>
Date: Thu, 20 Feb 2003 12:48:53 -0600
All, I was reviewing some IIS logs with a co-worker. There were typical Nimda attack signatures (cmd.exe) in the log. He asked an interesting question: can you tell the whether the attack was successful based on the HTTP return code? I had always assumed that a 403/404 to this type of a requests meant it was blocked. But as I have never actually seen the logs from a successful exploit, I am wondering if that is true. Along those same lines, does this apply to the general class of exploits (meaning OS/web server executable and dll exploits)? For Code Red I and II, as well as tomorrow's new web server exploit d'jour, can I assume a 400 level response from my web server means that the attack was not successfully? This second question may be a bit too generalized, but I would appreciate any thoughts on either question. Terry Ziemniak ----------------------------------------------------------- Does your IDS have Intelligent Attack Profiling? If not, see what you're missing. Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure
Current thread:
- Web server response to attacks Terry Ziemniak (Feb 20)
- Re: Web server response to attacks Michael Katz (Feb 20)
- Re: Web server response to attacks Frank Knobbe (Feb 25)
- <Possible follow-ups>
- RE: Web server response to attacks Levinson, Karl (Feb 21)
- Re: Web server response to attacks Michael Katz (Feb 20)