From: eldy <>
Date: Sat, 10 Jan 2004 11:17:00 +0000 (+0000)
Subject: Updated documentation.
X-Git-Tag: AWSTATS_6_0_RELEASE~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19b3645d00bbe51cd30d25cfc2ba4e098ae496e8;p=thirdparty%2FAWStats.git

Updated documentation.
---

diff --git a/docs/awstats_faq.html b/docs/awstats_faq.html
index bcd79747..c08ecf38 100644
--- a/docs/awstats_faq.html
+++ b/docs/awstats_faq.html
@@ -1387,9 +1387,15 @@ unknown URL like this one:<br>
 <i>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%40%50...%40%50</i><br>
 URL is generated by the infected robot and the purpose is to exploit a vulnerability of the web server (In most cases, only IIS is vulnerable).
 With such attacks, you will will always find a 'common string' in those URLs.
-For example, with Code Red worm, there is always default.ida in the URL string. Some other worms send URLs with cmd.exe in it.
-So, you should edit your config file to add in the <a href="awstats_config.html#SkipFiles">SkipFiles</a> parameter the following value:<br>
-<i>SkipFiles="default.ida cmd.exe"</i><br>
+For example, with Code Red worm, there is always default.ida in the URL string. Some other worms send URLs with cmd.exe in it.<br>
+With 6.0 version and higher, you can set the <a href="awstats_config.html#LevelFor">LevelForFormDetection</a>
+parameter to "2" and <a href="awstats_config.html#Show">ShowWormsStats</a> to "HBL" in 
+config file to enable the worm filtering nd reporting.<br>
+However, this feature reduce seriously AWStats speed and the worms database (lib/worms.pm file) can't contain
+all worms signatures. So if you still have rubish hits, you can modify the worms.pm file yourself or
+edit your config file to add in the <a href="awstats_config.html#SkipFiles">SkipFiles</a> parameter some
+values to discard the not required records, using a regex syntax like example :<br>
+<i>SkipFiles="REGEX[^\/default\.ida] REGEX[\/winnt\/system32\/cmd\.exe]"</i><br>
 <br>
 
 <hr>