On Wednesday 13 March 2002 00:46, James Bliss wrote:
This is the Code Red / Nimda attack signatures. You can just ignore them
I do not think there is a way to keep them out of the log, on the security list they went around on this and I do not remember any specific resolution which would keep them out of the log files. (anyone know of a way to avoid logging these entries?)
I did this, but that was to *move* them to a different log. Easily adaptable to just ignore: In /etc/http/httpd.conf around line 700: SetEnvIf Request_URI "root.exe" bad_req SetEnvIf Request_URI "cmd.exe" bad_req SetEnvIf Request_URI "default.ida" bad_req Which tells apache to lookout for those kinds of requests, and set the variable bad_req around line 740: CustomLog /var/log/httpd/access_log common env=!bad_req CustomLog /var/log/httpd/bad_requests "%h %t \"%r\"" env=bad_req Which tells apache to log everything BUT (env=!bad_req) as usual in access_log. And everything (=bad_req) to the file bad_requests in the format of: HOST-IP [time] "bad-string" I put the stuff where I put it, because I'm no apache-wizard, but it seemed about right. It can't be all wrong, 'cause it works very nicely :) If you don't care to log these attacks, then just adding the "env=!bad_req" to the regular log-line should suffice, but you still have to set up that variable (obviously) In my case I let the two logs run run side-by-side for a while, before adding that statement to the access_log-line, just to be sure that I didn't lose anything. If anyone sees something terribly wrong with this setup, please let me know ;) Jon