[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Webalizer 2.01 stats skewed by Code Red
- Subject: Re: [cobalt-users] Webalizer 2.01 stats skewed by Code Red
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Sat Aug 11 12:45:41 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"MikeM" <MyRaQ@xxxxxxxxx> wrote:
> On 8/11/2001 at 1:03 PM Steve Werby wrote:
>
> | "MikeM" <MyRaQ@xxxxxxxxx> wrote:
> | > I inserted the following line in my /etc/webalizer.conf file to
> | > have webalizer ignore the hits from Microsoft's Code Red fiasco:
> | >
> | > IgnoreAgent -
> | >
> | > Yes, that is a single "hyphen" after the tab. The Code Red
> | > worm uses the hyphen as its agent name.
> |
> | In case a User Agent of "-" is used by others not related you might want
> | to consider the IgnoreURL keyword instead.
> |
> | 'IgnoreURL default.ida' should accomplish the same thing. Which you use
> | really depends on which you believe is more likely to result in false
> | positives.
> |
> Code Red also uses a Referer URL of "-", so IgnoreReferrer (check
> for the proper spelling in the conf file) is another keyword that can be
used.
Keep in mind that the Referrer is blank whenever a web request doesn't come
from a referring document internal to or external to your website or a user
sets their own referrer value to a blank value. If you use IgnoreReferrer
in an attempt to ignore traffic from Code Red attacks you'll likely make
your Webalizer reports completely useless if your website receives a high
number of direct requests. IMO IgnoreURL will result in the least false
positives (what are the changes you have a file called default.ida on your
server?), though IgnoreAgent could be just as good if you don't receive
other requests from a User Agent that doesn't identify itself.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/