Hello all, really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server: [error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) Code (markup): I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning. SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind" SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:" SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)" Code (markup): Thank you.
afaik, it's a port scanner, and is not specific to just Apache. there are other more important log entries you need to be concerned about. I'm currently using mod_security 1.9.4 on Apache 2.2.4 and works great for what I'm using it for. in addition to built-in Apache logging features, mod_security provides a way for me to dig deeper into logging and implement restrictions as issues arise. mod_security2 is a different beast, and I'm still reading documentation so not quite ready yet to migrate my 500+ rulesets/directives. :/