Exactly why I asked about the problem of not been able to catch malformed requests... I was investigating how httprint identifies de remote host, and trying to filter this.



On Fri, 2005-08-19 at 08:08 -0400, Ryan Barnett wrote:
Another small benefit of plugging mod_security into hook-0 would be
its ability to alter the sematic characteristics of Apache that web
server fingerprinting apps often rely on for accuracy.

HTTPrint -

Identification of web servers despite the banner string and any other
obfuscation. httprint can successfully identify the underlying web
servers when their headers are mangled by either patching the binary,
by modules such as mod_security.c or by commercial products such as

HTTPrint sends malformed requests that Apache will respond to is a
distinct way.  Allowing Mod_Security to get the first crack at
inspecting these requests will help to alter the default Apache

Looks like it is time to have some fun with Mod_Security's "status"
flag and see how these fingerprinters react :)

Leandro Meiners
CYBSEC S.A. Security Systems
E-mail: lmeiners@cybsec.com
Tel/Fax: [54-11] 4382-1600
Web: http://www.cybsec.com