You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "C.Hays" <me...@pconline.com> on 2002/03/03 04:24:11 UTC
Re: Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
Well, i cant help with the logging however a small script using sed and will remove the entries from the existing logs.
I have some entries i see all the time, that i just remove and cp over to new logs which are then parsed..
works like a charm
good luck
On Sat, 2 Mar 2002 18:52:55 -0600
"Bryan Henry" <br...@mail.utexas.edu> wrote:
> I have been trying for two weeks to configure my Apache server
> not to log all the cmd.exe and root.exe requests from an
> Nimda or Code Red infected IIS machine.
>
> I definitely have read every faq entry and description in the manual
> for setting SetEnvIf and CustomLog. In addition, every suggestion I
> find on the web is not working for me either.
>
> My goal is to not log any of these attacks, never seeing
> these entries would make me very happy.
>
> thank you for the assistance,
> ~ b r y a n h e n r y
>
> Running - Apache/2.0.28 (Win32)
> ------------------------------------------------------------------
>
> I have been only able to successfully log the following in attack.log
>
> <-snipped ip and time-> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
> 805
> <-snipped ip and time-> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 805
>
>
> The following is the relevant section of my .conf file.
> -------------------------------------------------------------------
> <-snipped .conf->
> #
> # ErrorLog: The location of the error log file.
> # If you do not specify an ErrorLog directive within a <VirtualHost>
> # container, error messages relating to that virtual host will be
> # logged here. If you *do* define an error logfile for a <VirtualHost>
> # container, that host's errors will be logged there and not here.
> #
> ErrorLog logs/error.log
>
> #
> # LogLevel: Control the number of messages logged to the error.log.
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> #
> LogLevel warn
>
> #
> # The following directives define some format nicknames for use with
> # a CustomLog directive (see below).
> #
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
> combined
> LogFormat "%h %l %u %t \"%r\" %>s %b" common
> LogFormat "%{Referer}i -> %U" referer
> LogFormat "%{User-agent}i" agent
>
> # <<<< NOTE >>> I have used all kinds of combinations of the following
> entries
> SetEnvIf Request_URI "^/scripts/root\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe^" dontlog
> SetEnvIf Request_URI "^MSADC/root\.exe" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/[cd]/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/scripts/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_vti_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/_mem_bin/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe^" dontlog
> SetEnvIf Request_URI "^/*/winnt/system32/cmd\.exe" dontlog
> SetEnvIf Request_URI "^/default\.ida^" dontlog
> SetEnvIf Request_URI "^/default\.ida" dontlog
>
> #
> # The location and format of the access logfile (Common Logfile Format).
> # If you do not define any access logfiles within a <VirtualHost>
> # container, they will be logged here. Contrariwise, if you *do*
> # define per-<VirtualHost> access logfiles, transactions will be
> # logged therein and *not* in this file.
> #
> # <<<< NOTE >>>
> # I have disabled the following line because I use the line below it instead
> # Is this not correct?
> #CustomLog logs/access.log common
>
> CustomLog logs/access.log common env=!dontlog
> CustomLog logs/attacks.log common env=dontlog
>
> #
> # If you would like to have agent and referer logfiles, uncomment the
> # following directives.
> #
> CustomLog logs/referer.log referer
> CustomLog logs/agent.log agent
>
> #
> # If you prefer a single logfile with access, agent, and referer information
> # (Combined Logfile Format) you can use the following directive.
> #
> #CustomLog logs/access.log combined
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Key fingerprint = C868 0131 8B45 6267 0B5F 3FE6 F39A E607 5B1D 0F82
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Conditional Logging - Apache 2.0.28 - ignoring Nimda or Code Red
Posted by Irmund Thum <it...@it97.dyn.dhs.org>.
C.Hays wrote:
> Well, i cant help with the logging however a small script using sed and will remove the entries from the existing logs.
> I have some entries i see all the time, that i just remove and cp over to new logs which are then parsed..
> works like a charm
>
> good luck
>
> On Sat, 2 Mar 2002 18:52:55 -0600
> "Bryan Henry" <br...@mail.utexas.edu> wrote:
>
>
>>I have been trying for two weeks to configure my Apache server
>>not to log all the cmd.exe and root.exe requests from an
>>Nimda or Code Red infected IIS machine.
>>
>>I definitely have read every faq entry and description in the manual
>>for setting SetEnvIf and CustomLog. In addition, every suggestion I
>>find on the web is not working for me either.
>>
>>My goal is to not log any of these attacks, never seeing
>>these entries would make me very happy.
>>
>>thank you for the assistance,
>>~ b r y a n h e n r y
this does the job for me and also under win you should be able to run a cron job
(winat, cron nt), and awk (or sed - look for cygwin)
awk '!/XXXXXX/ && !/NNNN/ && !/winnt\/system32/ &&
!/root.exe\?\//{print} ' access_log > t;>access_log;cat t > access_log; rm t
--
_ ___
| | Irmund Thum
| |
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org