Hi: Here's how I handle the infected IIS server traffic that would normally cause a 404 to be logged:
FILEEXCLUDE *cmd.exe* FILEEXCLUDE *MSADC* FILEEXCLUDE *msadc* FILEEXCLUDE *_vti_bin* FILEEXCLUDE *_mem_bin* FILEEXCLUDE */c FILEEXCLUDE */d FILEEXCLUDE */scripts This has eliminated the vast majority of traffic coming from the multitude of infected IIS servers. Others may have more elegant ways of handling this. Sincerely, W. Jeffrey Rankin Lead Publications Programmer O'NEIL & ASSOCIATES, INC. <http://www.oneil.com> 495 Byers Rd. Miamisburg, Ohio 45342-3662 Phone: (937) 865-0800 ext. 3504 Fax: (937) 865-5858 E-mail: [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Aidan Whitehall > Sent: Monday, July 29, 2002 11:01 AM > To: [EMAIL PROTECTED] > Subject: RE: [analog-help] Preventing www.worm.com traffic from > appearing in the report > > > > > Is there any way to prevent these seemingly empty requests from > skewing > > > the 404 figures on the failure reports? > > > > I don't understand why you think the figures are skewed. It correctly > > reports the number of 404s. > > > > But if you want to exclude them, you can use one of the *EXCLUDE > commands. > > (I'm not sure which one, because I'm not sure which field this is.) > > Thanks for the reply. > > Please don't take what I wrote as an insinuation that analog doesn't > produce accurate reports; I have no doubt that it does. I also happen to > think that analog is an excellent piece of software. However, I'd like > to be able to tailor it so that the reports generated are more > meaningful to me (and, more importantly, my employer). > > For example, I've used HOSTEXCLUDE to exclude requests for web pages > from users inside our network (based on the IP range). > > Additionally, the status code report shows that the most common status > code returned is 404. Leafing through the logs shows that there is a lot > of activity that (I assume) comes from infected IIS servers. If the most > common status code is still 404 after excluding these requests, it might > highlight problems with the site (information obviously useful to a > developer). > > Below is a log file entry together with it's header. > > #Software: Microsoft Internet Information Services 5.0 > #Version: 1.0 > #Date: 2002-07-29 01:01:03 > #Fields: date time c-ip cs-username s-sitename s-computername s-ip > s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status > sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) > cs(Cookie) cs(Referer) > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName ServerIP 80 - - - > 404 2 245 97 0 HTTP/1.0 www - - - > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName ServerIP 80 - - - > 404 2 245 97 0 HTTP/1.0 www - - - > 2002-07-29 01:01:04 217.37.111.57 - W3SVC1 ServerName ServerIP 80 - - - > 404 2 245 98 0 HTTP/1.0 www - - - > > > Thanks > > -- > Aidan Whitehall<[EMAIL PROTECTED]> > Macromedia ColdFusion Developer > Fairbanks Environmental +44 (0)1695 51775 > > ________________________________________________________________________ > This e-mail has been scanned for all viruses by Star Internet. The > service is powered by MessageLabs. For more information on a proactive > anti-virus service working around the clock, around the globe, visit: > http://www.star.net.uk > ________________________________________________________________________ > +------------------------------------------------------------------------ > | This is the analog-help mailing list. To unsubscribe from this > | mailing list, go to > | http://lists.isite.net/listgate/analog-help/unsubscribe.html > | > | List archives are available at > | http://www.mail-archive.com/[email protected]/ > | http://lists.isite.net/listgate/analog-help/archives/ > | http://www.tallylist.com/archives/index.cfm/mlist.7 > +------------------------------------------------------------------------ +------------------------------------------------------------------------ | This is the analog-help mailing list. To unsubscribe from this | mailing list, go to | http://lists.isite.net/listgate/analog-help/unsubscribe.html | | List archives are available at | http://www.mail-archive.com/[email protected]/ | http://lists.isite.net/listgate/analog-help/archives/ | http://www.tallylist.com/archives/index.cfm/mlist.7 +------------------------------------------------------------------------
