Recently, since we've all been shopping, out there paying attention to gifts, what we are going to get, and what we aren't going to get. An attack has been going on. Apparently, against my web server.
I review my weblogs (I review all my logs) on a weekly basis. Because really, what's the point in having logs if you're not going to look at them? A log that isn't looked at is a pointless log. You might as well shut off syslog if you aren't going to look at the logs. But I digress.
I review my weblogs. I have mod_security installed on my apache webserver here, so through my custom mod_security rules, I am provided with audit_log in my logging directory.
I usually get about 200 to 300 entries a week in that file. All denied.
Last week that number jumped to almost 9000. As of this morning (my logs roll over on Sunday), I had over 3000.
As I am on my blackberry I don't have a copy of the logs, so I'll post a sample entry later.
But the string I see a lot is "x-aaaaaaaaaaa" in the header.
Anyone else seeing these?
Over the past several years my job here at Cisco Talos has changed drastically. I took on new roles, which is awesome and exciting, but in ...
Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people so...
Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical. I don't want to...
1. I don't feel like I have much to say. I do a tremendous amount of writing and blogging on the Snort, ClamAV, and Talos blogs. So...