Rule for blocking name of scripts?

mikeshinn · **Posted:** Sat Sep 05, 2009 7:24 pm

LOL! I love it!

One thing about attracting more attacks is that you get more data about the sources, methods and sometimes even the real source of the attacks (proxy leaks, browser leaks, etc.) which you can use to protect your systems. Always a plus.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Does modsec has a rule to use this jpg everytime a 406 is triggered?

Regards,
Sergio

mikeshinn · **Posted:** Sat Sep 05, 2009 8:51 pm

One way you can do this is by setting apache up to use a custom error page for that type of error (in your case 406), and formatting that page to your liking.

Another is with redirect, basically send the attacker to a specific page, just change the action from drop to redirect:http://www.whatver.com/block.html.

You can also use the proxy action, which requires you to setup the proxy backend in apache to support (and really not necessary unless you are setting up a full blown honeypot) - same thing, change the drop action to proxy:http://www.someothersystem.com/.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Finally I got the sign to work and is doing a good job, lol. Now I show the sign to any one that has triggered a 403 or 406 error.

I have a really nice block of SPAMMER IPs, in case you want it. I will like to share this list with anyone that is interested in blocking them, the list now is more than 1K IPs and growing, lol.

mikeshinn · **Posted:** Fri Sep 11, 2009 6:06 pm

Yes. please send on any data you have. We're cooking the honeypot data we have collected over the past few years into the RBL, so if you have anything you want to contrbiute please email it to us. (put a password on it so our collective AV/AS systems dont block it)

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

I will be sending you a list of all the spammers that the guestbook collected.

On the other hand, I saw that the new rules on the 50, included the rules for the malware-scripts.txt, but unfortunately they are not working neither of them.

Regards,
Sergio

mikeshinn · **Posted:** Sat Sep 12, 2009 2:31 pm

The malware_scripts rule isnt active yet in the ASL rules, its commented out as we do more testing.

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

mikeshinn wrote:

The malware_scripts rule isnt active yet in the ASL rules, its commented out as we do more testing.

Sorry, I am anxious on having that rule working, lol.

I will wait until you say it is in production.

Regards,
Sergio

Sergio · **Joined:** Sat Jan 17, 2009 2:19 pm **Posts:** 99

Any idea when the rule to block script names will be available?

Regards,
Sergio

mikeshinn · **Posted:** Wed Jun 06, 2012 11:38 am

I forgot to mention, it was added to the realtime rules a few months ago.

Rule for blocking name of scripts?

Who is online