HIDS 30221

From Atomicorp Wiki
Jump to: navigation, search
Rule 30220
Status Active
Alert Message Multiple invalid Apache connection attempts - Possible DOS attack


[edit] Description

This rule is triggered when Apache generates multiple errors from the same IP that it has received an invalid request form a client, and can not read the headers in the request.

These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. ASL simply reports that this error has occurred, and when Apache logs this error it has already rejected this request.

[edit] Details

This rule is designed to detect connections to Apache that Apache has rejected because it can not read the request headers. This can occur for one of two reasons:

1) This is an attack, and the client is attempt to cause Apache to crash or use up too many resources.

2) The client has generated a broken request.

ASL generates an alert for these conditions in case you wish to investigate further. Because there are known DOS attacks that generate these errors with Apache, ASL will track these events but will shun them.

ASL does not control or configure this behavior, it merely reports when this occurs with Apache. Therefore, if your clients are generating this error, please contact your Apache vendor, or the client to determine why they are generating these broken connections.

ASL will shun, by default, on these events. If you do not wish to have ASL block on these events please see the Tuning Advice section below.

Disabling this rule will not prevent Apache from blocking these requests, or generating these errors. It will simply "silence" the alert in ASL, however Apache will continue to reject these requests, and will continue to generate these errors. If this was a real DOS attack, ASL would not longer block the DOS attack. We do not recommend you disable this rule.

[edit] Troubleshooting

[edit] False Positives

This rule is not caused by ASL. ASL merely reports when Apache generated this error.

[edit] Tuning Guidance

If you do not wish to shun on these alerts, just set Active Response in the ASL rule manager for rule 30221 to "no".

Disabling this rule will not prevent Apache from dropping these connections. It will simply "silence" the alert in ASL. Apache will continue to drop these connections, and will continue to log this activity. We do not recommend you disable this rule.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] Outside References


Personal tools