From: Jerry [mailto:gmane@...]
Sent: Monday, December 15, 2008 8:12 AM
Subject: [mod-security-users] w00tw00t rule
I get a lot of w00tw00t client sent HTTP/1.1 request without hostname errors
in the log file.
I think these are like scouting missions which precede other exploit
attacks. It is like an attack source first sends out a w00t and based on the
response decides to attempt exploits on that ip address.
Apache itself seems to respond to client sent HTTP/1.1 request without
hostname problems before modsecurity does so I can not create a rule and
Q. Does apache return anything to the attack source? i.e. is Apache
responding with a specific code (I presume 400) so that the attack source
can then determine what exploit to attempt.
[Ryan Barnett] There are some HTTP compliance issues that Apache will handle internally before a ModSecurity phase:1 rule can work within the post-read-request hook. In this case, the client sent a "HTTP/1.1" request but didn't include a Host header. When this happens, Apache will issue the 400 Bad Request and it will immediately go to the logging phase. Depending on your Apache configs (ErrorDoc settings, etc...) this may or may not populate the ModSecurity WEBSERVER_ERROR_LOG variable in phase:5. Did the following CRS rule not trigger? -
# Log a security event when the request is rejected by apache
SecRule RESPONSE_STATUS ^400$ "t:none,phase:5,chain,log,auditlog,pass,msg:'Invalid request',id:'960913',severity:'2'"
SecRule WEBSERVER_ERROR_LOG !ModSecurity "t:none"