Solved

Mod_security blocking iscsan scanner

Posted on 2007-03-18
6
668 Views
Last Modified: 2007-12-19
Hello experts,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"


Thank you.
0
Comment
Question by:urberleo
  • 3
  • 3
6 Comments
 

Author Comment

by:urberleo
ID: 18744657
Any helps?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18753849
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html

According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).

From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).

While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
0
 

Author Comment

by:urberleo
ID: 18757484
Hello,

this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 27

Expert Comment

by:Nopius
ID: 18761055
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).

0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18761087
However you don't have strong reasons to worry about. Absence of "Host:" header in HTTP1/1 request  may be the only issue (or one of very small set) that you can see in your logs. Most other problems will be solved with mod_security.
0
 

Author Comment

by:urberleo
ID: 18767743
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now