CR incident reports.

[Kevin Brown]

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN is used by CR1 and 2,
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is used by CRII.  The difference,
CR1 and 2 are similar, but the code for choosing what IPs to hit was modified to
make CR2.  CRII uses XXXXXXXXXXXXXXXXXXXXXXXXXXXs when accessing the default.ida
file and has a modified IP seed so that it will expend most of its attempts
hitting other machines located within the same Class A as it with a few tries
outside the class A.

> I have a couple of questions from one of the IT people dealing with CR
> incidents on and around ASU.  I now have a little script that send them
> CR attempts grepped from my access and error logs on a daily basis.
> 
> One of the people there was asing for more info to make sure they are
> intrepreting them correctly.  I am writing something rather simple up.
> If anyone knows of more detailed HOW-TO interpretation of CR access
> logs, etc. please let me know...
> 
> Now for my question:
> 
>   is the "XXXXX....." in the access log an indication of a CR 1 or 2
> infection?  The other IIRC has a "NNNNN...." in it.
> 
>   EBo --