OT HTTPD

[Gregory D Hough]

TLUG,

I'm sure many of you have an httpd or two running, and keep an eye on 
them from time to time. Since the beginning of June or perhaps late May 
I began to notice an uptick in GET / HTTP/1.0 with no referer or 
user-agent. I also noticed these requests were accompanied by two snort 
alerts; COMMUNITY WEB-MISC mod_jrun overflow attempt AND (http_inspect) 
OVERSIZE REQUEST-URI DIRECTORY. I also learned this AM that the initial 
GET and the exploit are from different source ports.

These are difficult to filter because of the many different sources. The 
default for httpd was to serve the index code 200. I tweaked the config 
to return a 400 with LimitRequestFieldsize 2048 but would prefer a 
simple 403 instead. Is there a way to do it for requests having a null 
user-agent? I tried BrowserMatch "^$" but it didn't work. Is this a job 
for SetEnvIfNoCase? And does anyone know what this thing is or what it's 
supposed to be doing and is it even worth the bother?

httpd-2.0.50-1.0

Cheers,
farmer6re9
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml