Re: [mod-security-users] Network Attack v2.8 and Referers

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Black wrote:
> Hi,
> I want to learn, if we can ban ips with certain log entries by
> mod_security, for example, in the harvest part: "Network Attack v2.8".
> Also, can we reject the connections to our server from certain
> referers such as "www.sanaldarbe.com" , "www.tahribat.com" and
> "www.tithac.com". If we can, then can you help us with this issue?
> Thank you for your time and attention.
> 
> Log Examples: 
> 
> 213.208.67.82 - - [09/Apr/2005:13:34:49 +0200] "GET /index.php
> HTTP/1.0" 200 1177 "-" "FireFox - Network Attack v2.8 - fuck you"
> 212.405.32.11 - - [09/Apr/2005:13:34:49 +0200] "GET /index.php
> HTTP/1.0" 200 1177 "-" "FireFox - Network Attack v2.8 - tithack"

   Sure you can:

   SecFilterSelective HTTP_USER_AGENT "Network Attack"

   or:

   SecFilterSelective HTTP_REFERER "sanaldarbe\.com"

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org