OT HTTPD
Gregory D Hough
mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Thu Jun 23 12:22:10 UTC 2005
TLUG,
I'm sure many of you have an httpd or two running, and keep an eye on
them from time to time. Since the beginning of June or perhaps late May
I began to notice an uptick in GET / HTTP/1.0 with no referer or
user-agent. I also noticed these requests were accompanied by two snort
alerts; COMMUNITY WEB-MISC mod_jrun overflow attempt AND (http_inspect)
OVERSIZE REQUEST-URI DIRECTORY. I also learned this AM that the initial
GET and the exploit are from different source ports.
These are difficult to filter because of the many different sources. The
default for httpd was to serve the index code 200. I tweaked the config
to return a 400 with LimitRequestFieldsize 2048 but would prefer a
simple 403 instead. Is there a way to do it for requests having a null
user-agent? I tried BrowserMatch "^$" but it didn't work. Is this a job
for SetEnvIfNoCase? And does anyone know what this thing is or what it's
supposed to be doing and is it even worth the bother?
httpd-2.0.50-1.0
Cheers,
farmer6re9
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list