Have you tried the IISLockdown tool from MS? I haven't used that ( or been an IIS admin ) since the CodeRed and Nimda virus days, but that helped a bunch. IIRC it can be configured to ignore certain URL types/regexes.
Mike Harrington wrote: > The server is running IIS. The actual worm isn't causing any damage to us > other than trying to flood our server with bogus requests. So far the > response time of the server hasn't been damaged, but it's only day two of > the virus and it seems by 5% an hour. Right now the server is getting about > 1200 bogus requests a minute which is around 1.7 million a day (at the > current rate). The log files I can just delete every few hours, but I was > hoping to find a little bit better solution. > > -Mike > > ----- Original Message ----- > From: "decker" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Wednesday, March 02, 2005 12:55 PM > Subject: [xmail] Re: 110% off topic > > > >>Hi, >> >>I'm not sure if this will help you since it's only relative for apache > > users. If you are running IIS or something I dunno. > >>If you watch your logs closely you'll probably know there are some really > > annoying windows worm things out there that, while posing no threat to > apache/*nix, are still annoying and a waste of space in logs. > >>For example there is one that does a SEARCH request that is so long it > > breaches apache's max length for a url. To not log it (and another for > example) I have in httpd.conf > >>SetEnvIf Request_URI ^/SEARCH annoying >>SetEnvIf Request_URI ^/scripts/.. annoying >> >>And in my vhost entries (anywhere that would log this really) >> >>CustomLog /home/decker/logs/www/n3t.net-access_log combined env=!annoying >> >>This allows me to log everything normally except the junk from the worms. > > I'm not familiar with the bagle virus and what it looks for, however you may > be able to apply the above example to help performance and save disk space. > If the virus requests are causing the server to hit its MaxClients limit, > then you are SOL for the most part. > >>-darren >>- >>To unsubscribe from this list: send the line "unsubscribe xmail" in >>the body of a message to [EMAIL PROTECTED] >>For general help: send the line "help" in the body of a message to >>[EMAIL PROTECTED] >> >> > > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > ---------- Scanned for viruses by ClamAV - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
