<i>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%40%50...%40%50</i><br>
URL is generated by the infected robot and the purpose is to exploit a vulnerability of the web server (In most cases, only IIS is vulnerable).
With such attacks, you will will always find a 'common string' in those URLs.
-For example, with Code Red worm, there is always default.ida in the URL string. Some other worms send URLs with cmd.exe in it.
-So, you should edit your config file to add in the <a href="awstats_config.html#SkipFiles">SkipFiles</a> parameter the following value:<br>
-<i>SkipFiles="default.ida cmd.exe"</i><br>
+For example, with Code Red worm, there is always default.ida in the URL string. Some other worms send URLs with cmd.exe in it.<br>
+With 6.0 version and higher, you can set the <a href="awstats_config.html#LevelFor">LevelForFormDetection</a>
+parameter to "2" and <a href="awstats_config.html#Show">ShowWormsStats</a> to "HBL" in
+config file to enable the worm filtering nd reporting.<br>
+However, this feature reduce seriously AWStats speed and the worms database (lib/worms.pm file) can't contain
+all worms signatures. So if you still have rubish hits, you can modify the worms.pm file yourself or
+edit your config file to add in the <a href="awstats_config.html#SkipFiles">SkipFiles</a> parameter some
+values to discard the not required records, using a regex syntax like example :<br>
+<i>SkipFiles="REGEX[^\/default\.ida] REGEX[\/winnt\/system32\/cmd\.exe]"</i><br>
<br>
<hr>
projects / thirdparty / AWStats.git / commitdiff
