RE: CODE RED!!!!!!!!!

  • From: "Shayne Lebrun" <slebrun@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 20 Aug 2001 09:14:31 -0400

200 does NOT mean that you're infected. 200 means simply that the HTTP
request matched a valid ISA web publishing rule, and therefore was
allowed to go through.  Believe it or not, most of these are quite valid
HTTP requests, if a bit on the longish side.

It's up to the webserver itself to throw out invalid requests, and that
means running patches that guard against these things.

Although I have been idly toying with the idea of a 'site and content
rule' that would block any request to default.ida.  Haven't looked into
it, though, to see if it's feasable.

-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Monday, August 20, 2001 8:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: CODE RED!!!!!!!!!


http://www.ISAserver.org


I would say the 200 at the end of your log entry could mean that you
were infected:

200 - OK Message - the requested HTTP page was fulfilled.
If ISA server blocks the item via the default rule then the log entry
would show 12206.


Joseph




-----Original Message-----
From: Sharma, Shobha [mailto:c-ssharma@xxxxxxxxxxx] 
Sent: Monday, August 20, 2001 5:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] CODE RED!!!!!!!!!

http://www.ISAserver.org



This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: