Hi, in nginx access log I see some requests looking like "l\x00\x0B\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x0C\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x03\x00\x00\x0B\x06\xE0\x00\x00\x00\x00\x00"
and some more longer ones too. Other logs from the same IP address make clear the person to be scanning for vulnerable systems. But I want to know, would there ever be legitimate request method that contains "\x" ??? because the rule I think to catch this is: failregex = ^<HOST>.+" "\S*\\x basically to catch any request method containing "\x" (notice first example above starts with another character so I put "\S*" to begin the request method pattern) so is there any time a client could use "\x" in the request method portion of a valid request? ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
