1# $Id: group.url.conf,v 1.4 2006/07/31 21:00:35 erich Exp $ 2[groupurl] 3# Group index pages with directory page 4groupurl = "^(/.*/)(index|default)\.(html?|shtml|phtml|php[34]?|cgi|pl|jsp|asp)",$1 5# Group CGIs by stripping parameters 6groupurl="^(.+?)\?",$1 7 8[group_exploits] 9# Typical requests by common internet worms 10groupurl = "^/default\.ida\?XXXXXXX",worm attack (Code.Red II) 11groupurl = "^/default\.ida\?NNNNNNN",worm attack (Code.Red) 12groupurl = "^/(MSADC|scripts)/root\.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) 13groupurl = "^/(_mem_bin|_vti_bin)/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) 14groupurl = "^/msadc/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c/\.\.%c1%1c\.\./\.\.%c1%1c\.\./\.\.%c1%1c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) 15groupurl = "^/[cd]/winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) 16groupurl = "^/scripts/\.\.%(.*)\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm) 17groupurl = "^/MSOffice/ctlreq\.asp",Microsoft Office attack 18groupurl = "^/_vti_bin/owssrv\.dll",Frontpage Server Extensions attack 19 20