Mailinglist Archive: opensuse (3644 mails)

< Previous Next >
Re: [SLE] web log
  • From: Jon Clausen <dsl23212@xxxxxxxxxxxxxxxx>
  • Date: Wed, 13 Mar 2002 08:06:48 +0100
  • Message-id: <20020313070649.93D5515FC3A@xxxxxxxxxxxxxxxxxxxx>
On Wednesday 13 March 2002 00:46, James Bliss wrote:
This is the Code Red / Nimda attack signatures. You can just ignore them

I do not think there is a way to keep them out of the log, on the security
list they went around on this and I do not remember any specific resolution
which would keep them out of the log files. (anyone know of a way to avoid
logging these entries?)

I did this, but that was to *move* them to a different log. Easily adaptable
to just ignore:

In /etc/http/httpd.conf

around line 700:

SetEnvIf Request_URI "root.exe" bad_req
SetEnvIf Request_URI "cmd.exe" bad_req
SetEnvIf Request_URI "default.ida" bad_req

Which tells apache to lookout for those kinds of requests, and set the
variable bad_req

around line 740:

CustomLog /var/log/httpd/access_log common env=!bad_req
CustomLog /var/log/httpd/bad_requests "%h %t \"%r\"" env=bad_req

Which tells apache to log everything BUT (env=!bad_req) as usual in
access_log.

And everything (=bad_req) to the file bad_requests in the format of:

HOST-IP [time] "bad-string"

I put the stuff where I put it, because I'm no apache-wizard, but it seemed
about right. It can't be all wrong, 'cause it works very nicely :)

If you don't care to log these attacks, then just adding the "env=!bad_req"
to the regular log-line should suffice, but you still have to set up that
variable (obviously)

In my case I let the two logs run run side-by-side for a while, before adding
that statement to the access_log-line, just to be sure that I didn't lose
anything.

If anyone sees something terribly wrong with this setup, please let me know ;)

Jon

< Previous Next >
References