You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/09/26 15:25:02 UTC
DO NOT REPLY [Bug 13032] New: -
SetEnvIf[NoCase] doesn't allow you to test if an attribute does not match the regex
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13032>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13032
SetEnvIf[NoCase] doesn't allow you to test if an attribute does not match the regex
Summary: SetEnvIf[NoCase] doesn't allow you to test if an
attribute does not match the regex
Product: Apache httpd-1.3
Version: 1.3.26
Platform: PC
OS/Version: Netware
Status: NEW
Severity: Minor
Priority: Other
Component: Other
AssignedTo: bugs@httpd.apache.org
ReportedBy: S.M.Flood@ucs.cam.ac.uk
Module: mod_setenvif
I'm trying to use the SetEnvIf and SetEnvIfNoCase directives to determine which
log file a request should get logged to based on the values of the Request_URI
and Remote_Host variables.
I'm using SetEnvIfNoCase to set three flags when a request is a Code Red/Nimda
probe - attack, attack_uk, and attack_not_uk - and then I'm unsetting the
relevant one depending on whether the request came from a UK- or non-UK-based
machine.
Although I've flagged this as a problem with Apache/1.3.26 on NetWare I've also
found this to be the case with Apache/1.3.26 on Windows NT 4.0 Workstation.
The relevant lines from my httpd.conf file are:
SetEnvIfNoCase Request_URI "cmd\.exe" attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "root\.exe" attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "default\.ida" attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "msadcs\.dll" attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "pbserver\.dll" attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "^/default\.ida" default_ida
SetEnvIfNoCase Remote_Host \.uk$ !attack_not_uk access_uk
SetEnvIfNoCase Remote_Host !\.uk$ !attack_uk
CustomLog logs/access.log common env=!attack
CustomLog logs/accessuk.log common env=access_uk
CustomLog logs/attackuk.log common env=attack_uk
CustomLog logs/attack.log common env=attack_not_uk
CustomLog logs/default.log common env=default_ida
Basically the 'SetEnvIfNocase Remote_Host !\.uk$ !attack_uk" isn't working and
I think it's because the '!' in front of the regex is getting ignored. I've
also tried enclosing the whole regex in '"'s plus all except the '!' but it
doesn't make any difference.
accessuk.log is correctly logging just accesses from machines with DNS names
ending ".uk".
As an aside I'm finding that requests for 'default\.ida' are not getting
interpreted as attacks hence the reason for adding '^/default\.ida' as a test
but I haven't had one of these probes since implementing this! Though if I
telnet in and enter the appropriate request it does log it correctly.
BTW the reason for wanting to log all UK-based attacks to a separate file is so
that I can pass it on to our local CERT team. Since they receive so many
attack reports from around the University they're only really interested in UK-
based probes that they can then pass on to the JANet (Joint Academic Network)
CERT team for action.
Am I right in thinking that '!' isn't working or is even supposed to work?
If it isn't supposed to work what is the alternative?
Many thanks,
Simon Flood, Computer Officer,
University of Cambridge Computing Service, United Kingdom
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org