| View previous topic :: View next topic |
| Author |
Message |
col
l33t
Joined: 08 May 2002
Posts: 820
Location: Melbourne - Australia
|
 Posted: Sat Jul 24, 2004 12:48 am Post subject: apache logs iis worms |
 |
|
| I was wondering if anyone had some tips on dealing with IIS worms in apache log files. My logs are full of requests from worms & I would like apache to send these requests to another log file other than the access_log. |
|
| Back to top |
|
 |
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sat Jul 24, 2004 7:21 am Post subject: |
|
|
Something like this should help, at least you'll get the idea:
| Code: | SetEnvIf Request_URI "^/default.ida" attacks
SetEnvIf Request_URI "^/scripts" attacks
SetEnvIf Request_URI "^/c/winnt" attacks
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks
CustomLog /var/log/apache/access_log combined env=!attacks
CustomLog /var/log/apache/attack_log combined env=attacks
|
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
col
l33t
Joined: 08 May 2002
Posts: 820
Location: Melbourne - Australia
|
| Posted: Sun Jul 25, 2004 11:33 pm Post subject: |
|
|
thanks for the reply. This seems to be working as I am now seeing stuff in the attack log instead. The one I was having most problem with was not listed which is the iis webdav exploit worm. Here is my rule for it:
| Code: |
SetEnvIf Request_URI "^/\x90\x02" attacks
|
|
|
| Back to top |
|
|
col
l33t
Joined: 08 May 2002
Posts: 820
Location: Melbourne - Australia
|
| Posted: Mon Jul 26, 2004 7:59 am Post subject: |
|
|
| no this is not working correctly .... I have entries in both the attack_log and the access_log for the worms...any ideas why ? |
|
| Back to top |
|
|
|
Networking & Security
