# $Id: group.url.conf,v 1.4 2006/07/31 21:00:35 erich Exp $
[groupurl]
# Group index pages with directory page
groupurl = "^(/.*/)(index|default)\.(html?|shtml|phtml|php[34]?|cgi|pl|jsp|asp)",$1
# Group CGIs by stripping parameters
groupurl="^(.+?)\?",$1

[group_exploits]
# Typical requests by common internet worms
groupurl = "^/default\.ida\?XXXXXXX",worm attack (Code.Red II)
groupurl = "^/default\.ida\?NNNNNNN",worm attack (Code.Red)
groupurl = "^/(MSADC|scripts)/root\.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)
groupurl = "^/(_mem_bin|_vti_bin)/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)
groupurl = "^/msadc/\.\.%255c\.\./\.\.%255c\.\./\.\.%255c/\.\.%c1%1c\.\./\.\.%c1%1c\.\./\.\.%c1%1c\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)
groupurl = "^/[cd]/winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)
groupurl = "^/scripts/\.\.%(.*)\.\./winnt/system32/cmd.exe\?/c\+dir",worm attack (W32.Nimda.A@mm)
groupurl = "^/MSOffice/ctlreq\.asp",Microsoft Office attack
groupurl = "^/_vti_bin/owssrv\.dll",Frontpage Server Extensions attack