Mar 19, '03 09:41:00AM • Contributed by: thrig
Code Red and Nimda requests are annoying at best, and can complicate log processing. One option of dealing with these requests is to have Apache log the requests to a separate log file, which can be processed as needed. Additional uses for separate log files are explored.
The httpd.conf file will need to be manually edited to add the following features. For more information on the configuration outlined below, consult the Apache manual.
[robg adds: A previous hint includes a shell script to block Nimda and Code Red requests at the firewall level; this hint explains how to use Apache's custom logging features to log these activities in a separate log file without actually blocking the requests.]
Logging Nimda and Code Red queries...
- Pick what to block.
- Log the msjunk
- Update regular logging
- Extra Work
The goal here is to associate a tag with particular requests, so Apache can subsequently do something special with logs with or without the tag in question. This should be done just before any CustomLog entries.
SetEnvIfNoCase Request_URI "/cmd\.exe" msjunk SetEnvIfNoCase Request_URI "/Admin\.dll" msjunk SetEnvIfNoCase Request_URI "/root\.exe" msjunk SetEnvIfNoCase Request_URI "/httpodbc\.dll" msjunk SetEnvIfNoCase Request_URI "/owssvr\.dll" msjunk SetEnvIfNoCase Request_URI "/default\.ida" msjunk
The above SetEnvIfNoCase entries will create a msjunk environment setting inside Apache for requests that match the specified pattern. Case insensitive matching is used so both CMD.EXE and cmd.exe trigger a match. Certain characters (like .) are special, and have been escaped with a backslash to prevent potential (but rare) false positives.
Create a new CustomLog statement after the new SetEnvIfNoCase entries to direct any logs with the msjunk setting to a different log file. Note the use of the env=msjunk limitation.
CustomLog "/private/var/log/httpd/msjunk_log" env=msjunk
If nothing will be done with the requests, the logs can instead be thrown out.
CustomLog "/dev/null" env=msjunk
At this point, msjunk logs are going to both the new CustomLog entry, as well as the regular logfile. Any existing CustomLog entries will need to be updated to not log requests with the msjunk tag.
CustomLog "/private/var/log/httpd/access_log" common env=!msjunk
Save httpd.conf, restart apache, and try both a good request and one containing a pattern to ensure logging is setup properly.
$ curl http://www.example.org/ >/dev/null % Total % Received % Xferd Average Speed Time Curr. Dload Upload Total Current Left Speed 100 4255 100 4255 0 0 7975 0 0:00:00 0:00:00 0:00:00 1618 $ curl http://www.example.org/cmd.exe >/dev/null % Total % Received % Xferd Average Speed Time Curr. Dload Upload Total Current Left Speed 100 1069 0 1069 0 0 3397 0 --:--:-- 0:00:00 --:--:-- 0
The new msjunk_log file may need to be rotated to prevent it from growing too large. This is outside the scope of this document.
Other interesting things can be done with the SetEnvIf parameter, such as logging requests from local testing systems to an alternate logfile. This can be done using the Remote_Host or Remote_Addr parameter instead of the Request_URI, and requires additional environment tags and updated CustomLog rules.