Re: [mod-security-users] Creating A rule for Search's
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Creating A rule for Search's
|
From: Javier Fernandez-S. <jfe...@ge...> - 2004-07-22 06:54:57
|
Jim Gifford wrote:
> I keep having numerous people using some type of attack on my
apache server.
> I think mod_security is the best to handle it, but I don't
understand how to
> create a rule based on the limited information I have. I will share
what I
> know and the pattern of the attack.
That's not directed towards you, it's probably one of IIS worms (or
autorootkits) making the rounds. The vulnerability exploited is the
one fixed by MS03-007
>
> Over the last 2 weeks, I get numerous search request from multiple IP's
> about anywhere from 1sec to 15 minutes apart. Started to
investigate the IP
> addresses, but they show up as being spoofed. In the Apache Log, I
get the
> following messages when this attack happens. It's a long one, I get
about
> 400 to 1000 a day of these.
Actually, many exploitation attempts use open proxies and there are
quite a lot of them in contast use.
> How can I create a rule for mod-security to block this. Thank you
You could either:
1.- block all HTTP SEARCH requests: SecFilter "SEARCH "
2.- block all requests over an specific size (for example, over 100
characters any of the header lines): SecFilterSelective HTTP_Header
"^.{100,}$"
I believe the above examples are correct, but I have not tested them
myself.
Regards
Javier
|