Solved

Mod_security blocking iscsan scanner

Posted on 2007-03-18
6
663 Views
Last Modified: 2007-12-19
Hello experts,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"


Thank you.
0
Comment
Question by:urberleo
  • 3
  • 3
6 Comments
 

Author Comment

by:urberleo
ID: 18744657
Any helps?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18753849
Please look to this schema:
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html

According to this processing order (internal to Apache), your rules should be executed in Phase1 (Phase Request Headers).

From this manual:
Phase Request Headers
Rules in this phase are processed immediately _after_ Apache completes reading the request headers (post-read-request phase).

While this message 'client sent HTTP/1.1 request without hostname' is occured from apache 'parse header' early phase where your security engine still not active.
0
 

Author Comment

by:urberleo
ID: 18757484
Hello,

this phase manual if for 2.X, my mod_security is 1.9 so how should I let the rules execute before apache completes reading?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:Nopius
ID: 18761055
> how should I let the rules execute before apache completes reading?
You can't - short answer. Long answer - you can, BUT you should modify apache code (add hooks before processing headers) then modify mod_security to bind that hooks (it requires _serios_ code changes since mod_security relies on already parsed headers).

0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18761087
However you don't have strong reasons to worry about. Absence of "Host:" header in HTTP1/1 request  may be the only issue (or one of very small set) that you can see in your logs. Most other problems will be solved with mod_security.
0
 

Author Comment

by:urberleo
ID: 18767743
Thanks
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now