mod-security-users

[mod-security-users] How to filter this?

[sam w. <sa...@au...>]

Hi,

Recently my website received alot of buffer overflow attacks with the
following content:
1.2.3.4 - - [25/Oct/2004:10:05:34 +0800] "SEARCH
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ 

x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 ....
...


The apache has plugins mod_security and mod_filter compiled with.
How can I implement rules to filter the above attack?

Thanks
Sam

Re: [mod-security-users] How to filter this?

[Ivan R. <iv...@we...>]

sam wun wrote:

> Hi,
> 
> Recently my website received alot of buffer overflow attacks with the
> following content:
> 1.2.3.4 - - [25/Oct/2004:10:05:34 +0800] "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
> 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\
> 
> x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 ....
> ...
> 
> 
> The apache has plugins mod_security and mod_filter compiled with.
> How can I implement rules to filter the above attack?

  You can't, at least not with mod_security, because Apache responds
  to the request before mod_security gets to see it. You can try
  with mod_rewrite (I haven't so I don't know if it would work)
  or you can use custom logging to remove such things from your
  logs. See here for more details:

http://sourceforge.net/mailarchive/forum.php?thread_id=5595944&forum_id=33492

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]