Hi,

I have a problem with getting the long SEARCH requests logged
seperately. I'm using this configuration:
code:
SetEnvIfNoCase Request_Method "SEARCH" worm
SetEnvIf Request_URI "^/[a-zA-Z0-9 ].*" !worm
SetEnvIfNoCase Request_URI "^/$" !worm

CustomLog /var/log/apache/access_log common env=!worm
CustomLog /var/log/apache/worm_attacks "%h - %t \"Worm attack\" %>s %b" env=
worm

Now, when I telnet to the server and query for example "SEARCH /#¤%"
then it is correctly identified as a "worm attack" and when I query
"SEARCH /" it is identified as a valid request.

Ok so far so good, it seems to be working. Now then the problem is
that when the WebDAV worms come with their long SEARCH queries they
don't get recognized as worms.
So is this some kind of bug in Apache? I'm using Apache 1.3.24 on
a Linux machine.


Thanks for any help,
Daniel Bengs

"chekov" <chekov.15ljlp@mail.webservertalk.com> schreef in bericht
news:chekov.15ljlp@mail.webservertalk.com...
> Ok so far so good, it seems to be working. Now then the problem is
> that when the WebDAV worms come with their long SEARCH queries they
> don't get recognized as worms.
http://httpd.apache.org/docs/mod/co...imitrequestbody
One of the LimitRequest* directives setting or their defaults may make your
Apache report an _error_ before you are given a change to divert the log of
_access_.

> So is this some kind of bug in Apache?
That depends on ones point of view...
... in general it is not good to process an oversized
... so reporting reciept of an incomplete request seems appropriate

HansH

[ Post a follow-up to this message ]

Ok, yes I do get a lot of "request failed: URI too long" in the error_log...
 so what should I do then, increase the limit?
That might of course not really be so good... but on the other hand are ther
e any other solutions?


Daniel

[ Post a follow-up to this message ]