It started the other day, about the 2nd of September, I started receiving Comment Spam hits. Hundreds of them. Just shy of a thousand hits a day. It's crazy... Of those of you that don't know what a comment spam hit is.. here's a traffic dump:
GET /2005/04/enterprise-will-take-its-longhorn.html HTTP/1.1
Accept: */*
Accept-Language: en-us
x-aaaaaaaaaaaa: 1
Referer: http://www.casino-bu.com/blackjack.html
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; N_o_k_i_a)
x-aaaaaaaaaa: 300000
UA-CPU: x86
Host: esler.is-a-geek.net
Connection: Keep-Alive
See the wierd "x-aaaaaaaaa" user-agent string? See the referer? Some blackjack site? Welp, I don't know why they have suddenly followed me over here, but they have.
I'm considering doing one of several things.
A) Stopping the blog -- Shutting it off completely.
B) Changing the DNS name to something like esler.is-a-geek.org
C) I don't know.
In the meantime I have made some changes to the IDS.
A) A secret
B) Anytime a request is made with that user-agent string, a RST packet will be sent to the host. The communication will immediately cease. (Go Snort.. Go Snort...)
Joel Esler, Sourcefire, Snort, Immunet, ClamAV, Apple, and Network Security. This is my blog.
Subscribe to:
Post Comments (Atom)
Evernote, Omnifocus, and my productivity
Over the past several years my job here at Cisco Talos has changed drastically. I took on new roles, which is awesome and exciting, but in ...

-
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
-
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
-
Over the past several years my job here at Cisco Talos has changed drastically. I took on new roles, which is awesome and exciting, but in ...

No comments:
Post a Comment