G�nter Knauf wrote: > Hi all, > I use the following for getting virus attacks into attack_log instead of access_log:
> this works fine when I test from browser, but when the virus tries to access >default.ida it is still logged in the access_log. The only difference you can see in >the log is that the virus access is with HTTP/1.0 while my access from browser is >with HTTP/1.1; > now my question: > is it possible that this the reason why the above config doesnt work as I expect?? This question would be more appropriate on the users list. You don't show the log entries, but the most likely explanation has nothing to do with the protocol version. Instead, it has to do with the fact that the worm requests are using malformed headers that are rejected before they ever get to the point where the SetEnvIf conditions are evaluated. As an aside, it amazes me how much time people are wasting trying to filter out these requests. There have been numerous bug reports, newsgroup postings, etc, on this issue. It almost makes me regret that apache does any log-filtering at all. Joshua.
