Selective logging with Apache (or, hiding Code Red and Nimda)

Mar 19, '03 09:41:00AM

Contributed by: thrig

Code Red and Nimda requests are annoying at best, and can complicate log processing. One option of dealing with these requests is to have Apache log the requests to a separate log file, which can be processed as needed. Additional uses for separate log files are explored.

The httpd.conf file will need to be manually edited to add the following features. For more information on the configuration outlined below, consult the Apache manual.

[robg adds: A previous hint includes a shell script to block Nimda and Code Red requests at the firewall level; this hint explains how to use Apache's custom logging features to log these activities in a separate log file without actually blocking the requests.]

Logging Nimda and Code Red queries...

  1. Pick what to block.
  2. The goal here is to associate a tag with particular requests, so Apache can subsequently do something special with logs with or without the tag in question. This should be done just before any CustomLog entries.

      SetEnvIfNoCase Request_URI "/cmd\.exe" msjunk
      SetEnvIfNoCase Request_URI "/Admin\.dll" msjunk
      SetEnvIfNoCase Request_URI "/root\.exe" msjunk
      SetEnvIfNoCase Request_URI "/httpodbc\.dll" msjunk
      SetEnvIfNoCase Request_URI "/owssvr\.dll" msjunk
      SetEnvIfNoCase Request_URI "/default\.ida" msjunk
    

    The above SetEnvIfNoCase entries will create a msjunk environment setting inside Apache for requests that match the specified pattern. Case insensitive matching is used so both CMD.EXE and cmd.exe trigger a match. Certain characters (like .) are special, and have been escaped with a backslash to prevent potential (but rare) false positives.

  3. Log the msjunk
  4. Create a new CustomLog statement after the new SetEnvIfNoCase entries to direct any logs with the msjunk setting to a different log file. Note the use of the env=msjunk limitation.

      CustomLog "/private/var/log/httpd/msjunk_log" env=msjunk
    

    If nothing will be done with the requests, the logs can instead be thrown out.

      CustomLog "/dev/null" env=msjunk
    
  5. Update regular logging
  6. At this point, msjunk logs are going to both the new CustomLog entry, as well as the regular logfile. Any existing CustomLog entries will need to be updated to not log requests with the msjunk tag.

      CustomLog "/private/var/log/httpd/access_log" common env=!msjunk
    
  7. Testing
  8. Save httpd.conf, restart apache, and try both a good request and one containing a pattern to ensure logging is setup properly.

    $ curl http://www.example.org/ >/dev/null
      % Total    % Received % Xferd  Average Speed          Time             Curr.
                                     Dload  Upload Total    Current  Left    Speed
    100  4255  100  4255    0     0   7975      0  0:00:00  0:00:00  0:00:00  1618
    $ curl http://www.example.org/cmd.exe >/dev/null
      % Total    % Received % Xferd  Average Speed          Time             Curr.
                                     Dload  Upload Total    Current  Left    Speed
    100  1069    0  1069    0     0   3397      0 --:--:--  0:00:00 --:--:--     0
    
  9. Extra Work
  10. The new msjunk_log file may need to be rotated to prevent it from growing too large. This is outside the scope of this document.

Other interesting things can be done with the SetEnvIf parameter, such as logging requests from local testing systems to an alternate logfile. This can be done using the Remote_Host or Remote_Addr parameter instead of the Request_URI, and requires additional environment tags and updated CustomLog rules.

Comments (8)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20030317133345352