Jeff Trawick wrote: > On Tue, 26 Oct 2004 14:51:59 +0100, Ivan Ristic <[EMAIL PROTECTED]> wrote: > >> Sure, you may need to have some logic to determine what makes >> an attack and what not, but you must have the log entry to >> begin with so you feed it to the algorithm. > > Something I'm still curious about: Was the logging with Apache 1.3 not > sufficient (logging only for the timeout error)? It still seems that > Apache 2 is going to be logging more than Apache 1.3, which is > something that deserves a bit of scrutiny.
Logging timeouts only is fine by me. Actually, I didn't realize the patch would cause logging in other cases. I mean, I am not saying that message alone will resolve all possible abuse scenarios but it certainly helps significantly. I hope to spend some time in the near future testing various DoS scenarios. You'll hear from me if there's anything interesting to tell. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ]