Hey guys, Im trying to filter a probing attack from reaching all my webservers. The offending line in my server logs looks like this;
POST / HTTP/1.1" 403 1296 “-” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Where I have failed to accomplish with filtering based on packet content, Id like to be able to succeed with a layer 7 matcher.
I am getting some packets detected and blocked by just adding the above line, but im still getting log hits. This leads me to believe that perhaps some of those requests are coming in via 2 or more packets, sidestepping the content matcher some other way.
Layer-7 according to the manual will inspect 10 packets for the offending content. So i tried adding the line above as a reg-ex, but it doesnt seem to be picking anything up.
Is there a guide or manual on how to actually make a layer 7 rule based on what i see in the packets when i run a sniffer?
I have posted a picture of the offending packet and my content filter that is failing to catch it. Maybe one of you guys has a suggestion on how to prevent these from getting past the firewall.
I think this is traffic from the pushdo botnet, because this is an applciation layer attack, layer 7 rules may be the only way to catch this on a hardware firewall, the only other option is to install mod_security on each box and block it that way. Was hoping to avoid having to rely on the servers themselves.
Anybody familiar with creating layer7 regxp’s might be able to get a consulting fee on this one.
