RE: CODE RED!!!!!!!!!

• From: "Sharma, Shobha" <c-ssharma@xxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 20 Aug 2001 09:26:41 -0400

So you mean to say that its Ok if I see 200 at the end of the entry. And why
its having the "NNNNNNNNNNNN" or "XXXXXXX....". I don't see it on other 2
servers running datacenter.


-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: Monday, August 20, 2001 9:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: CODE RED!!!!!!!!!


http://www.ISAserver.org


200 does NOT mean that you're infected. 200 means simply that the HTTP
request matched a valid ISA web publishing rule, and therefore was
allowed to go through.  Believe it or not, most of these are quite valid
HTTP requests, if a bit on the longish side.

It's up to the webserver itself to throw out invalid requests, and that
means running patches that guard against these things.

Although I have been idly toying with the idea of a 'site and content
rule' that would block any request to default.ida.  Haven't looked into
it, though, to see if it's feasable.

-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Monday, August 20, 2001 8:53 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: CODE RED!!!!!!!!!


http://www.ISAserver.org


I would say the 200 at the end of your log entry could mean that you
were infected:

200 - OK Message - the requested HTTP page was fulfilled.
If ISA server blocks the item via the default rule then the log entry
would show 12206.


Joseph




-----Original Message-----
From: Sharma, Shobha [mailto:c-ssharma@xxxxxxxxxxx] 
Sent: Monday, August 20, 2001 5:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] CODE RED!!!!!!!!!

http://www.ISAserver.org



This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
c-ssharma@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!
• » RE: CODE RED!!!!!!!!!

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---