Thread: [mod-security-users] WebDAV Search Filter
Brought to you by:
victorhora,
zimmerletw
From: David C. H. <mod_security@TQMcube.com> - 2004-09-18 18:24:29
|
(BTW, ModSec is a marvelous bit of code with great potential) How do I stop these? The converted snort rule (SecFilter "SEARCH " log,pass) doesn't seem to work. BTW, could someone explain what these are? The following is abbreviated. This actually adds 30kb of crap to access_log. 68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ |
From: Ivan R. <iv...@we...> - 2004-09-19 17:44:14
|
David Cary Hart wrote: > (BTW, ModSec is a marvelous bit of code with great potential) Thanks. What other features would you like to see in it? > How do I stop these? The converted snort rule (SecFilter "SEARCH " > log,pass) doesn't seem to work. You can't stop them using mod_security since Apache rejects such requests before they reach mod_security. Some future version may include functionality to install "early" filters. > BTW, could someone explain what these are? The following is abbreviated. > This actually adds 30kb of crap to access_log. > > 68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 Such requests are always responded to with a 414 error code. So what you can do is not log the request line in that case. Like this: LogFormat "%!414r" no414 CustomLog logs/access_log no414 -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
From: David C. H. <mod_security@TQMcube.com> - 2004-09-19 18:16:00
|
On Sun, 2004-09-19 at 13:46, Ivan Ristic wrote: > David Cary Hart wrote: > > > (BTW, ModSec is a marvelous bit of code with great potential) > > Thanks. What other features would you like to see in it? "Potential" refers to my learning curve; not the mod. The only thing I would like to see (and it may already be there) is a simplification of logging so that the whole thing could be incorporated into access_log. A one line print like "[action] by mod_security at [rule]. Then I could see everything in one place in chronological order. A good example of this is the way that Postfix logs reject detail to maillog. That said, using the "standard" ruleset plus some snort rules and redirecting to the FBI's intel site, I see a noticeable - SIGNIFICANT - reduction in attacks after just a few days. At one point, I was using a combination of Swatch and Snort to write "drops" to IPTables as they occurred. This was refreshed daily from the rotated snort logs so the chain was always a seven day accumulation. Yet it contained over 425 IPs on average. I've eliminated it along with all of the maintenance and overhead. > > You can't stop them using mod_security since Apache rejects > such requests before they reach mod_security. Some future version > may include functionality to install "early" filters. > Right. Snort sees these as they arrive. I'm not sure it's worth either the effort or the additional complexity to add the "early" feature. > > > BTW, could someone explain what these are? The following is abbreviated. > > This actually adds 30kb of crap to access_log. > > > > 68.109.42.191 - - [18/Sep/2004:04:41:34 -0400] "SEARCH > > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 > > Such requests are always responded to with a 414 error code. So what > you can do is not log the request line in that case. Like this: > > LogFormat "%!414r" no414 > CustomLog logs/access_log no414 |
From: Ivan R. <iv...@we...> - 2004-09-19 18:31:30
|
> "Potential" refers to my learning curve; not the mod. The only thing I > would like to see (and it may already be there) is a simplification of > logging so that the whole thing could be incorporated into access_log. A > one line print like "[action] by mod_security at [rule]. Then I could > see everything in one place in chronological order. You can do that using a custom log format. For example: LogFormat "%h %l %u %t \"%r\" %>s %b %{mod_security-message}i" modsec This will add mod_security messages at the end of each line of the access log. >>>BTW, could someone explain what these are? I just saw this sentence :) SEARCH requests are attempts to exploit IIS WebDAV vulnerability, but I don't know which one. P.S. Your email server is rejecting direct emails from my email server with "Helo command rejected: [EHLO] No thanks.". -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |