Mod_security blocking iscsan scanner

Hello experts,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"


Thank you.
urberleoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

urberleoAuthor Commented:
Any helps?
0
Artysystem administratorCommented:
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html

According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).

From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).

While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
0
urberleoAuthor Commented:
Hello,

this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

Artysystem administratorCommented:
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).

0
Artysystem administratorCommented:
However you don't have strong reasons to worry about. Absence of "Host:" header in HTTP1/1 request  may be the only issue (or one of very small set) that you can see in your logs. Most other problems will be solved with mod_security.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
urberleoAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.