I just setup URLscan 20 minutes after I heard about it. Currently our individual dept. isn't using a firewall, but our greater University is. I do port blocking and such, but I wanted a pre-cursor to the request hitting my logs. From the research I've done today, URLscan is quite the tool.
thanks, j -----Original Message----- From: Paul Calvano [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 5:06 PM To: IIS50 Discussions Subject: Re: Filtering DDOS, Scans and Hacks Have you looked into URLScan? URLScan is an ISAPI filter availble from Microsoft that does just what you are asking. It prevents traffic from a criteria that you can set from accessing your website. Additionally, it logs all rejected requests to its own logfile, so you can routinely make sure that you are not blocking legitimate requests. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp What kind of firewall are you using? Some firewalls are customizable for blocking traffic based on HTTP requests. Hope this helps. Paul 11/18/2002 6:59:15 PM, "Fritts,Jordan" <[EMAIL PROTECTED]> wrote: >I'm finally sick of it - logs full of requests used to, well, hack my system, >searching for directories and permissions that I've long locked down and patched. > >**** Example Requests ***** >/cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, /c+dir+c:\, >/winnt/system32/cmd.exe, /c+dir+c:\, >/d/winnt/system32/cmd.exe, /c+dir+c:\, > /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+dir+c:\, >***** > >Anyway, as I was preparing to run a WebTrends, I was scanning the logs for a new site >we put up and all it is are these types of requests. Essentially, we'll always probably have to deal with these things as they are too many machines out there that are infected with administrators that don't know/don't care/don't know what to do about it. > >Anyway (again) I'm looking for ways to stop these requests before they ever hit my >logs. I'd like to stop them at the firewall, but that hasn't happened yet. Becuase I need to stop them at the IIS Server, I'm thinking the only way to do this is to install an ISAPI filter that will just ignore these requests. > >Does anyone out there have a filter like this, or another method, that keeps my logs >a little cleaner? > >tia, j > > >--- >You are currently subscribed to iis50 as: [EMAIL PROTECTED] >To unsubscribe send a blank email to %%email.unsub%% > >--------- >Administrated by 15 Seconds : http://www.15Seconds.com >List Archives/Search : http://local.15Seconds.com/search >Subscription Information : http://www.15seconds.com/listserv.htm >Advertising Information: http://www.internet.com/mediakit/ > > --- You are currently subscribed to iis50 as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/ --- You are currently subscribed to iis50 as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/
