Difference between revisions of "HIDS 30220"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 30220 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = Invalid Apache connection attempt - Possible Apache DOS attack }} = Descript...")

Revision as of 19:08, 19 January 2013

Rule 30220
Status Active
Alert Message Invalid Apache connection attempt - Possible Apache DOS attack

Contents

Description

This rule is triggered when Apache generates an error that it has recieved an invalid request form a client, and can not read the headers in the request.

These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. ASL simply reports that this error has occurred, and when Apache logs this error it has already rejected this request.

Details

This rule is designed to detect connections to Apache that Apache has rejected because it can not read the request headers. This can occur for one of two reasons:

1) This is an attack, and the client is attempt to cause Apache to crash or use up too many resources.

2) The client has generated a broken request.

ASL generates an alert for these conditions in case you wish to investigate further. Because there are known DOS attacks that generate these errors with Apache, ASL will block the source of these errors by default.

ASL does not control or configure this behavior, it merely reports when this occurs with Apache. Therefore, if your clients are generating this error, please contact your Apache vendor, or the client to determine why they are generating these broken connections.

ASL will shun, by default, on these events. If you wish to have ASL block on these events please see the Tuning Advice section below.

Disabling this rule will not prevent Apache from blocking these requests, or generating these errors. It will simply "silence" the alert in ASL, however Apache will continue to reject these requests, and will continue to generate these errors. If this was a real DOS attack, ASL would not longer block the DOS attack. We do not recommend you disable this rule.

Troubleshooting

False Positives

This rule is not caused by ASL. ASL merely reports when Apache generated this error.

Tuning Guidance

If you do not wish to shun on these alerts, just set Active Response in the ASL rule manager for rule 30220 to "no".

Disabling this rule will not prevent Apache from dropping these connections. It will simply "silence" the alert in ASL. Apache will continue to drop these connections, and will continue to log this activity. We do not recommend you disable this rule.

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Personal tools