[Date Prev][Date Next][Thread Prev][Thread Next][Thread Index]

[fw1-gurus] http protocol level inspection and smart defense

Subject: [fw1-gurus] http protocol level inspection and smart defense
From: "Simon Chang" <agentflicker@xxxxxxxxxxx>
To: fw1-gurus@xxxxxxxxxxxxxxxxxx
Date: Tue, 23 Dec 2003 15:20:46 +0100

Hello all,

NGAI on a Nokia.

A newbie smart defense question I'm afraid. We have a web site behind ourfirewall, we receive a lot of http "gets" like this:

http get / http/1.1
And thats all no other http headers at all, in the request.

Apparently this is a worm looking for an Apache web server, as they respondin an unsual way if they do not recieve the "host" header. We haven't hadany Apache servers so I haven't worried about it to much. But now I have anApache server so I would like to block at the firewall any http "gets" thatdo not have at least one other header (any header) but e.g. "host:"

Is it possible to do something like this? I know it does not conform to thehttp RFC but... I'm not worried about that.


Cheers Simon Chang.

_________________________________________________________________

Protect your PC - get McAfee.com VirusScan Onlinehttp://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



---------------------------------------------------------------------
FireWall-1 Gurus Mailing List (http://www.phoneboy.com/gurus)
To unsubscribe, mailto:fw1-gurus-unsubscribe@xxxxxxxxxxxxxxxxxx
For additional commands, mailto:fw1-gurus-help@xxxxxxxxxxxxxxxxxx

Prev by Date: [fw1-gurus] Netgear FVS 318 to Checkpoint 4.1
Next by Date: [fw1-gurus] User database
Previous by thread: [fw1-gurus] Netgear FVS 318 to Checkpoint 4.1
Next by thread: [fw1-gurus] User database
Index(es):
- Date
- Thread