ModSecurity - Domain listed not mine
Hi There,
I'm sorry to ask such a silly question but I'm seeing hits on my server through ModSecurity - Tools from other domains or blank altogether with just an IP. I'm not hosting the domain so why am I seeing these hits along with my ones?
Any help appreciated.
Kim.
OWASP3
Hits List
2019-03-10 13:24:29 example.com 201.198.xxx.xx NOTICE 400
920310: Request Has an Empty Accept Header
Request:
GET /autodiscover/autodiscover.xml
Action Description:
Warning.
Justification:
Match of "pm AppleWebKit Android Business Enterprise Entreprise" against "REQUEST_HEADERS:User-Agent" required.
-
The host column with the domain name in your example is client supplied in the Request Header... Host: domainname.com A good client sets it to the domain the client was accessing when the request was made. A bad client can set it to anything. The 400 Response Status was set by apache in response to a Bad Request (not complying with the http protocol) Once this Response Status is set Apache will respond with 400.shtml is it exists (it will not serve /autodiscover/autodiscover.xml) That happened before Modsecurity parsed the request. Modsecurity then parsed the request, hit rule 920310. The Justification log is a bit obscure, but if you read rule 920310 it has the chained logic of... If the http header named Accept: IS empty AND the http header named User-Agent: IS NOT (AppleWebKit OR Android OR Business OR Enterprise OR Entreprise) The severity of this hit is NOTICE which means this rule has no blocking effect to the request but does log it. Hits to other rules by the same request may still cause Modsecurity to deny it. 0 -
Thank you! The thing is it keeps happening? 0 -
Hello @cuzzmunger, I'm not hosting the domain so why am I seeing these hits along with my ones?
Do any of it's DNS entries resolve to your server's IP address? Thank you.0 -
No I don't think so. I wondered if there is a link to one of my sites or not but cant find any reason. 0
Please sign in to leave a comment.
Comments
5 comments