IIS Informant: Analyzing Firewalls Logs for Infected Systems

Our firewall logs show a lot of activity, but we don't have any way to analyze information about attacks—all we have are the IP addresses that launched the attacks. We'd like to advise the ISPs that own the IP addresses in our logs that they have infected systems. Do you know of a program that can scan our logs and alert us or the ISPs about infected systems?

Your situation is a serious problem that raises ethical concerns. How much responsibility do server administrators have when it comes to cleaning up other people's messes? In these uncertain times, you can make a sound argument that digital ecology (as I call it) is important because intruders can use unprotected servers as launching platforms for attacks against critical systems in our infrastructures.

The SANS Institute is on the cutting edge of addressing this concern. The institute recently helped create the Cyber Defense Initiative, which includes the Distributed Intrusion Detection System (aka DShield). This SANS Institute­sponsored project lets you submit firewall or IDS logs for processing. You can review the results online and sign up for the FightBack program, which alerts ISPs to infected computers on their systems. These services are free, and you can submit logs anonymously. For more information about DShield, go to http://www.dshield.org.