Eliminating long access.log entries

patpro wrote:

 > In article <Xjl6c.60180$QP.25864@twister.rdc-kc.rr.com>,
 > Mike Wright <ibeonmypc.DeleteThis@hot_mail.com> wrote:
 >
  >> My webalizer cron job was not running because I had a few entries in my
  >> access.log file of \x90\x90\x90, which just ran on forever. Webalizer was
  >> complaining of oversized log records. This just appears to be a ASP
  >> buffer overflow exploit. Is there any way to keep this from happeneing in
  >> the future? Or do I just have to watch for the errors then delete the
  >> long entries from my log file?
 >
 > webalizer should definitively run ok even with a log file full of such
 > records. It will normally issue a warning for thoses nasty log entry but
 > will properly generate log statistics.
 > Are your PERL and your webalizer up to date ?
 >
 > patpro
 >

Yeah I guess it still ran, but it just gave me that error of;

Skipping oversided log record.

That specific line was about 24,000 characters long. There were four
different instances of it.

Perl 5.6.1
Webalizer V2.01-10<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eliminating long access.log entries 

Mike Wright <ibeonmypc.RemoveThis@hot_mail.com> wrote in
news:Lhm6c.60190$QP.9516@twister.rdc-kc.rr.com:

 > patpro wrote:
 >
  >> In article <Xjl6c.60180$QP.25864@twister.rdc-kc.rr.com>,
  >> Mike Wright <ibeonmypc.RemoveThis@hot_mail.com> wrote:
  >>
   >>> My webalizer cron job was not running because I had a few entries in my
   >>> access.log file of \x90\x90\x90, which just ran on forever. Webalizer was
   >>> complaining of oversized log records. This just appears to be a ASP
   >>> buffer overflow exploit. Is there any way to keep this from happeneing in
   >>> the future? Or do I just have to watch for the errors then delete the
   >>> long entries from my log file?
  >>
  >> webalizer should definitively run ok even with a log file full of such
  >> records. It will normally issue a warning for thoses nasty log entry but
  >> will properly generate log statistics.
  >> Are your PERL and your webalizer up to date ?
  >>
  >> patpro
  >>
 >
 > Yeah I guess it still ran, but it just gave me that error of;
 >
 > Skipping oversided log record.
 >
 > That specific line was about 24,000 characters long. There were four
 > different instances of it.
 >
 > Perl 5.6.1
 > Webalizer V2.01-10

Hi,

Sorry I don't have a solid answer to this is what I have
tried so far:

Added to httpd.conf:
CustomLog /var/log/httpd/access_log combined env=!nolog

SetEnvIfNoCase Request_URI "^/\x90\x02\xb1" nolog

Redirect gone /\x90\x02\xb1

which doesn't work.

These, however, do work for Nimda/CodeRed etc. :

SetEnvIfNoCase Request_URI "^/scripts/" nolog
SetEnvIfNoCase Request_URI "^/msadc/" nolog
SetEnvIfNoCase Request_URI "^/MSADC/" nolog
SetEnvIfNoCase Request_URI "^/_vti_bin/" nolog
SetEnvIfNoCase Request_URI "^/_mem_bin/" nolog
SetEnvIfNoCase Request_URI "^/c/winnt/" nolog
SetEnvIfNoCase Request_URI "^/d/winnt/" nolog
SetEnvIfNoCase Request_URI "^/default.ida" nolog
SetEnvIfNoCase Request_URI "^/default.ida?" nolog

Redirect gone /scripts/
Redirect gone /msadc/
Redirect gone /MSADC/
Redirect gone /_vti_bin/
Redirect gone /_mem_bin/
Redirect gone /c/winnt/
Redirect gone /d/winnt/
Redirect gone /default.ida
Redirect gone /default.ida?

Perhaps the inital back slash creates a problem?

Apache reports syntax ok.

Maybe someone knows why this doesn't work and what needs to be
added or escaped etc.?

TZ<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eliminating long access.log entries 

 >
 > Perhaps the inital back slash creates a problem?
 >


make that a forward slash =)<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Eliminating long access.log entries