Jay Austad <austad at signal15.com> writes:

> I don't think you'll see anything in the logs, as the exploit is
> actually in the SSL negotiation phase, before the time that anything
> would make an http request.  Since apache doesn't log just connection
> attempts, you won't see it.  If you turned on some debugging
> somewhere, you might see traces of it. It's possible that something
> like snort would not be able to see it either, because the exploit may
> take place after a secure session is set up.  I'm not sure at what
> point of the ssl negotiation that the exploit actually takes place.

As I read the advisory, there's an initial probe where what it's
really looking for is configuration info, which logs a specific
request.
-- 
David Dyer-Bennet, dd-b at dd-b.net  /  http://www.dd-b.net/dd-b/
 John Dyer-Bennet 1915-2002 Memorial Site http://john.dyer-bennet.net
	   Dragaera mailing lists, see http://dragaera.info