Solved

Mod_security blocking iscsan scanner

Posted on 2007-03-18
6
670 Views
Last Modified: 2007-12-19
Hello experts,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"


Thank you.
0
Comment
Question by:urberleo
  • 3
  • 3
6 Comments
 

Author Comment

by:urberleo
ID: 18744657
Any helps?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18753849
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html

According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).

From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).

While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
0
 

Author Comment

by:urberleo
ID: 18757484
Hello,

this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 27

Expert Comment

by:Nopius
ID: 18761055
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).

0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18761087
However you don't have strong reasons to worry about. Absence of "Host:" header in HTTP1/1 request  may be the only issue (or one of very small set) that you can see in your logs. Most other problems will be solved with mod_security.
0
 

Author Comment

by:urberleo
ID: 18767743
Thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question