urberleo
asked on
Mod_security blocking iscsan scanner
Hello experts,
really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:
[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFin d:)
I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\. DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\. DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\. DFind:\)"
Thank you.
really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:
[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFin
I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.
Thank you.
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html
According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).
From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).
While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html
According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).
From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).
While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
ASKER
Hello,
this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
ASKER