httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <>
Subject Re: different looging between HTTP/1.0 and 1.1??
Date Thu, 14 Mar 2002 22:57:05 GMT
G√ľnter Knauf wrote:
> Hi all,
> I use the following for getting virus attacks into attack_log instead of access_log:

> this works fine when I test from browser, but when the virus tries to access default.ida
it is still logged in the access_log. The only difference you can see in the log is that the
virus access is with HTTP/1.0 while my access from browser is with HTTP/1.1; 
> now my question:
> is it possible that this the reason why the above config doesnt work as I expect??

This question would be more appropriate on the users list.

You don't show the log entries, but the most likely explanation has 
nothing to do with the protocol version.  Instead, it has to do with the 
fact that the worm requests are using malformed headers that are 
rejected before they ever get to the point where the SetEnvIf conditions 
are evaluated.

As an aside, it amazes me how much time people are wasting trying to 
filter out these requests.  There have been numerous bug reports, 
newsgroup postings, etc, on this issue.  It almost makes me regret that 
apache does any log-filtering at all.


View raw message