In article <20011022123933.B8376@gecadsoftware.com>, teo@gecadsoftware.com says...
Hi Mathias! On Sun, 21 Oct 2001, Mathias Homann wrote:
Hi all,
here's a bit of a step-by-step description on how to keep nimda and codered from filling your apache logs.
If filled up logs is the only concern (and not possible vulnerable machines behind firewall) why not: SetEnvIf Request_URI ".ida" no_log=1 SetEnvIf Request_URI ".exe" no_log=1 # add more matches here CustomLog /path/to/logs common env=!no_log
that way you avoid matching all the packets to 80 to be matched against the signatures.
Because I can :) or better, because I avoid a) load on webserver and b) traffic this way... mainly, someone here mentioned the string filtering in netfilter some time ago, and I wanted to try it. after getting it to work, I figured it to be of general interest here. bye [L]