Difference between revisions of "HIDS 30113"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "'''Rule ID''' 30113 '''Status''' Active rule currently published '''Description''' This rule reports when Apache has completely rejected a connection from a client, and ...")
 
m
 
(4 intermediate revisions by one user not shown)
Line 10: Line 10:
 
'''Description'''
 
'''Description'''
  
This rule reports when Apache has completely rejected a connection from a client, and Apache has determined the method used is Invalid.  
+
'''This event is not caused by ASL.'''  ASL is simply reporting when this occurs with Apache, and ASL neither causes this nor can it change this behavior in apache.  Disabling this rule will only cause ASL to not report the event, it wont change apache behavior nor will disabling this prevent apache form rejecting these requests.
  
Disabling this rule will not prevent Apache from rejecting these invalid connections, this rule simply reports when Apache has rejected the connection.
+
This rule reports when Apache has completely rejected a connection from a client, and Apache has determined the method used is Invalid.  [[ASL]] does not cause this, this is simply a reporting rule, and disabling this rule will not prevent Apache from rejecting these invalid connections.
  
Certain DOS attacks use this method to use up all file handles in use on the system.
+
This rule does not shun the offending IP by default.  Please see rule [[HIDS_30122]] which will shun multiple 30113 events from the same IP within a period of time.
 +
 
 +
Certain DOS attacks use this method to use up all file handles in use on the system, and Heartbleed attacks ( See the [[Vuln_web_cve-2014-016]] article for details) can generate this alert as well.
  
 
'''False Positives'''
 
'''False Positives'''
Line 23: Line 25:
 
'''Tuning Recommendations'''
 
'''Tuning Recommendations'''
  
None.
+
None. Disabling this rule will have no effect on apache rejecting these connections.  This event is not caused by ASL, and ASL can not change this behavior in apache.
 +
 
 +
'''Apache Log Examples'''
 +
 
 +
''[error] [client 1.2.3.4] Invalid method in request /x16/x03/x01''

Latest revision as of 14:54, 11 April 2014

Rule ID

30113

Status

Active rule currently published


Description

This event is not caused by ASL. ASL is simply reporting when this occurs with Apache, and ASL neither causes this nor can it change this behavior in apache. Disabling this rule will only cause ASL to not report the event, it wont change apache behavior nor will disabling this prevent apache form rejecting these requests.

This rule reports when Apache has completely rejected a connection from a client, and Apache has determined the method used is Invalid. ASL does not cause this, this is simply a reporting rule, and disabling this rule will not prevent Apache from rejecting these invalid connections.

This rule does not shun the offending IP by default. Please see rule HIDS_30122 which will shun multiple 30113 events from the same IP within a period of time.

Certain DOS attacks use this method to use up all file handles in use on the system, and Heartbleed attacks ( See the Vuln_web_cve-2014-016 article for details) can generate this alert as well.

False Positives

None. This rule simply reports when Apache has rejected the connection because it is using an invalid method.


Tuning Recommendations

None. Disabling this rule will have no effect on apache rejecting these connections. This event is not caused by ASL, and ASL can not change this behavior in apache.

Apache Log Examples

[error] [client 1.2.3.4] Invalid method in request /x16/x03/x01

Personal tools