Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Mod_security blocking iscsan scanner

Posted on 2007-03-18
6
Medium Priority
?
684 Views
Last Modified: 2007-12-19
Hello experts,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"


Thank you.
0
Comment
Question by:urberleo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:urberleo
ID: 18744657
Any helps?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18753849
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html

According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).

From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).

While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
0
 

Author Comment

by:urberleo
ID: 18757484
Hello,

this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 27

Expert Comment

by:Nopius
ID: 18761055
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).

0
 
LVL 27

Accepted Solution

by:
Nopius earned 2000 total points
ID: 18761087
However you don't have strong reasons to worry about. Absence of "Host:" header in HTTP1/1 request  may be the only issue (or one of very small set) that you can see in your logs. Most other problems will be solved with mod_security.
0
 

Author Comment

by:urberleo
ID: 18767743
Thanks
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question