HIDS 30220

From Atomicorp Wiki
Jump to: navigation, search
Rule 30220
Status Active
Alert Message Invalid Apache connection attempt - Possible Apache DOS attack


[edit] Description

This rule is triggered when Apache generates an error that it has recieved an invalid request form a client, and can not read the headers in the request.

These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. ASL simply reports that this error has occurred, and when Apache logs this error it has already rejected this request.

[edit] Details

This rule is designed to detect connections to Apache that Apache has rejected because it can not read the request headers. This can occur for one of two reasons:

1) This is an attack, and the client is attempt to cause Apache to crash or use up too many resources.

2) The client has generated a broken request.

ASL generates an alert for these conditions in case you wish to investigate further. Because there are known DOS attacks that generate these errors with Apache, ASL will track these events but will not shun them. Please see HIDS_30221 for information about shunning.

ASL does not control or configure this behavior, it merely reports when this occurs with Apache. Therefore, if your clients are generating this error, please contact your Apache vendor, or the client to determine why they are generating these broken connections.

ASL will not shun, by default, on these events. If you wish to have ASL block on these events please see the Tuning Advice section below.

Disabling this rule will not prevent Apache from blocking these requests, or generating these errors. It will simply "silence" the alert in ASL, however Apache will continue to reject these requests, and will continue to generate these errors. If this was a real DOS attack, ASL would not longer block the DOS attack. We do not recommend you disable this rule.

[edit] Troubleshooting

[edit] False Positives

This rule is not caused by ASL. ASL merely reports when Apache generated this error.

[edit] Tuning Guidance

If you do wish to shun on these alerts, just set Active Response in the ASL rule manager for rule 30220 to "yes". HIDS_30221 will shun of 6 or more of these events occur form the same IP within 120 seconds, therefor we do not recommend you set this rule to shun as 30221 will do this if a real DOS attack were to occur.

Disabling this rule will not prevent Apache from dropping these connections. It will simply "silence" the alert in ASL. Apache will continue to drop these connections, and will continue to log this activity. We do not recommend you disable this rule.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] Outside References


Personal tools