From owner-freebsd-questions@FreeBSD.ORG Sat Jan 15 11:13:18 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE61816A4CE for ; Sat, 15 Jan 2005 11:13:18 +0000 (GMT) Received: from t-x.dignus.nl (t-x.dignus.nl [83.219.88.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D56943D39 for ; Sat, 15 Jan 2005 11:13:18 +0000 (GMT) (envelope-from colin@kenmore.kozy-kabin.nl) Received: from localhost (localhost.dignus.nl [127.0.0.1]) by t-x.dignus.nl (Safehouse) with ESMTP id 739E52863B; Sat, 15 Jan 2005 12:13:34 +0100 (CET) Received: from kenmore.kozy-kabin.nl (cjr-home [62.251.72.148]) by t-x.dignus.nl (Safehouse) with ESMTP id 9F44028682; Sat, 15 Jan 2005 11:23:44 +0100 (CET) Received: from kenmore.kozy-kabin.nl (localhost.kozy-kabin.nl [127.0.0.1]) by kenmore.kozy-kabin.nl (Postfix) with ESMTP id E62B46230; Sat, 15 Jan 2005 11:23:27 +0100 (CET) Received: from localhost (colin@localhost)j0FANRFO069867; Sat, 15 Jan 2005 11:23:27 +0100 (CET) (envelope-from colin@kenmore.kozy-kabin.nl) Date: Sat, 15 Jan 2005 11:23:27 +0100 From: "Colin J. Raven" To: Duo In-Reply-To: Message-ID: <20050115110918.V802@kenmore.kozy-kabin.nl> References: <20050114140441.G802@kenmore.kozy-kabin.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by RemSPAMd at ph230.plushosting.nl cc: FreeBSD Questions Subject: Re: Odd (alarming) http log exerpt [followup] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Jan 2005 11:13:19 -0000 On Jan 14 at 10:22, Duo made this excellent suggestion: > On Fri, 14 Jan 2005, Colin J. Raven wrote: > >> I noticed something extremely odd this morning in my http access log. >> There's the usual activity, then suddenly this (about a hundred lines >> are snipped) >> >> Is there anything within...say httpd.conf..that I could do to prevent >> this..or curtail it before it grows to such an enormous size. > > Why, yes there is! For the low low price of FREE, here is something you can > do for fun and giggles. > > > RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com > RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com > I've googled extensively on conditional logging, but the syntax makes my head spin. Following Duo posting this gem yesterday, I planted the whole lot in my httpd.conf. This morning I had a similar occurrence of a WebDAV exploit which again porked out the logfile. As a followup question to this outstanding contribution, can anyone suggest a way of conditional logging which does any or all of the following: a) logs [simply] that a redirect in any of the above categories has happened b) Supresses the verbose output normally associated with one of the above conditions happening In other words you know it happened, but just in a non-verbose way, and you know the redirect worked. Regards & TIA, -Colin