Forum Discussion
hooleylist
Feb 05, 2013Cirrostratus
It looks like the malicious clients are using an absolute URL in the URI so that's why validating [HTTP::host] isn't working to block the requests. Here's something you can try where you first look for an absolute URL in the URI and then check the Host header value.
when HTTP_REQUEST {
log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"
Check if the URI is absolute and http:// or https://
switch -glob [string tolower [HTTP::uri]] {
"http://" -
"https://" {
Parse the host value from the URI
set host [string tolower [URI::host [HTTP::uri]]]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
}
default {
set host [string tolower [HTTP::host]]
}
}
Check if host header has a port
if {$host contains ":"}{
set host [getfield $host ":" 1]
log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
}
Check for invalid host values
if {[class match $host equals bad_hosts_dg]}{
Send a block response
HTTP::respond 403 content {blocked!}
Or drop the connection
drop
}
}
Aaron