Have you tried the IISLockdown tool from MS? I haven't used that ( or 
been an IIS admin ) since the CodeRed and Nimda virus days, but that 
helped a bunch. IIRC it can be configured to ignore certain URL 
types/regexes.

Mike Harrington wrote:
> The server is running IIS.  The actual worm isn't causing any damage to us
> other than trying to flood our server with bogus requests.  So far the
> response time of the server hasn't been damaged, but it's only day two of
> the virus and it seems by 5% an hour.  Right now the server is getting about
> 1200 bogus requests a minute which is around 1.7 million a day (at the
> current rate).  The log files I can just delete every few hours, but I was
> hoping to find a little bit better solution.
> 
> -Mike
> 
> ----- Original Message ----- 
> From: "decker" <[EMAIL PROTECTED]>
> To: <[email protected]>
> Sent: Wednesday, March 02, 2005 12:55 PM
> Subject: [xmail] Re: 110% off topic
> 
> 
> 
>>Hi,
>>
>>I'm not sure if this will help you since it's only relative for apache
> 
> users. If you are running IIS or something I dunno.
> 
>>If you watch your logs closely you'll probably know there are some really
> 
> annoying windows worm things out there that, while posing no threat to
> apache/*nix, are still annoying and a waste of space in logs.
> 
>>For example there is one that does a SEARCH request that is so long it
> 
> breaches apache's max length for a url. To not log it (and another for
> example) I have in httpd.conf
> 
>>SetEnvIf Request_URI ^/SEARCH annoying
>>SetEnvIf Request_URI ^/scripts/.. annoying
>>
>>And in my vhost entries (anywhere that would log this really)
>>
>>CustomLog /home/decker/logs/www/n3t.net-access_log combined env=!annoying
>>
>>This allows me to log everything normally except the junk from the worms.
> 
> I'm not familiar with the bagle virus and what it looks for, however you may
> be able to apply the above example to help performance and save disk space.
> If the virus requests are causing the server to hit its MaxClients limit,
> then you are SOL for the most part.
> 
>>-darren
>>-
>>To unsubscribe from this list: send the line "unsubscribe xmail" in
>>the body of a message to [EMAIL PROTECTED]
>>For general help: send the line "help" in the body of a message to
>>[EMAIL PROTECTED]
>>
>>
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe xmail" in
> the body of a message to [EMAIL PROTECTED]
> For general help: send the line "help" in the body of a message to
> [EMAIL PROTECTED]
> 

----------
Scanned for viruses by ClamAV
-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]

Reply via email to