Apache access logs

I am running an Apache 2.0.49 server on a win 2000 box.
Every once in a while I get an entry in my access log that looks like this:

SEARCH /\x90\x02\xb1\x02\xb1\....

but much, much longer!

what in the heck is this? a search bot? someone searching for exploits?

It relates to an exploit for IIS, Nimbda I believe?

It poses no threat to Apache, aside from the fact that your logs get massive when unattended.

I've been trying to find a way for Apache NOT to log SEARCH methods, and simply log GET and POST methods... since I'm pretty positive I've set up my server to *only* accept those two methods...

Please tell us how to do exactly. Thanx a lot.

I found this thread through Googling the same issue (#5 in apache+log+search). Have you since found a way to stifle these 32797-character log entries?


Better yet, could the server be configured to disregard them altogether?

Yes it can, you can set apache to log only GET or POST etc.. let me look it up.

# Just add/(or replace if needed) following lines in your
# apache2 httpd.conf
#
SetEnvIfNoCase Request_Method "^(GET|POST)" goodlog
CustomLog logs/access_log common env=goodlog
#
#

OCKAP, would this work for my ErrorLog as well?

keeping in mind that this is only a testing environment... obviously in production i'd want to know any intrusion attempts.

#Handle exploits, don't log in access.log file
SetEnvIf Request_URI "^/SEARCH$" exploit
CustomLog logs/access.log common env=!exploit
#Handle exploits, log in exploit.log file
CustomLog logs/exploit.log combined env=exploit

By using a '!' (bang) before the 'exploit' tag you are telling apache not to log those requests,
alternativly env=exploit for the exploit.log file will log only those IPS attempting to exploit your box..

Now that your access.log file is clear from these annoyances, you can freely
search through it without having to grumble past the ##,### characters.

And, you now have a record of all the 'leet' ones attempting to intrude your box.

KP