Re: [mod-security-users] Creating A rule for Search's
Brought to you by:
victorhora,
zimmerletw
From: Javier Fernandez-S. <jfe...@ge...> - 2004-07-22 06:54:57
|
Jim Gifford wrote: > I keep having numerous people using some type of attack on my apache server. > I think mod_security is the best to handle it, but I don't understand how to > create a rule based on the limited information I have. I will share what I > know and the pattern of the attack. That's not directed towards you, it's probably one of IIS worms (or autorootkits) making the rounds. The vulnerability exploited is the one fixed by MS03-007 > > Over the last 2 weeks, I get numerous search request from multiple IP's > about anywhere from 1sec to 15 minutes apart. Started to investigate the IP > addresses, but they show up as being spoofed. In the Apache Log, I get the > following messages when this attack happens. It's a long one, I get about > 400 to 1000 a day of these. Actually, many exploitation attempts use open proxies and there are quite a lot of them in contast use. > How can I create a rule for mod-security to block this. Thank you You could either: 1.- block all HTTP SEARCH requests: SecFilter "SEARCH " 2.- block all requests over an specific size (for example, over 100 characters any of the header lines): SecFilterSelective HTTP_Header "^.{100,}$" I believe the above examples are correct, but I have not tested them myself. Regards Javier |