# $Id: group.url.conf,v 1.3 2001/12/14 00:11:31 erich Exp $ [groupurl] # Group index pages with directory page groupurl = "^(/.*/)(index|default)\.(html?|shtml|phtml|php[34]?|cgi|pl|jsp|asp)",$1 # Group CGIs by stripping parameters groupurl="^(.+?)\?",$1 [group_exploits] # Typical requests by common internet worms groupurl = "^/default\.ida\?XXXXXXX",worm attack (Code.Red II) groupurl = "^/default\.ida\?NNNNNNN",worm attack (Code.Red) groupurl = "^/(MSADC|scripts)/root\.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) groupurl = "^/(_mem_bin|_vti_bin)/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) groupurl = "^/msadc/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c/\.\.%c1%1c\.\./\.\.%c1%1c\.\./\.\.%c1%1c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) groupurl = "^/[cd]/winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) groupurl = "^/scripts/\.\.%(.*)\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)