HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
Invalid Request Method http://havp.hege.li/forum/viewtopic.php?f=3&t=194 |
Page 1 of 1 |
Author: | vittorio [ 18 Dec 2006 22:27 ] |
Post subject: | Invalid Request Method |
S.O. : Freebsd 6.1 Havp : 0.83 - Listen on port 8080 ipfw rules : fwd 192.168.0.85,8080 tcp from 192.168.0.0/24 to any dst-port 80 In some case HAVP report : Invali Request Method This is the request: GET / HTTP/1.1 Accept: */* Accept-Language: it User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322) Cookie: MC1=V=3&GUID=56f3964a5e5a4474b56fbbd82ad5463e; ebPanelFrequency_.it.msn.com=351382%3A2%3A1%3A1166288683183 Connection: Keep-Alive Host: it.msn.com havp configuration: $ cat /usr/local/etc/havp/havp.config # # This is the configuration file for HAVP # # All lines starting with a hash (#) or empty lines are ignored. # Uncomment parameters you want to change! # # All parameters configurable in this file are explained and their default # values are shown. If no default value is defined "NONE" is specified. # # General syntax: Parameter Value # Value can be: true/false, number, or path # # Extra spaces and tabs are ignored. # # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. # Hint: You must enable some scanner! Find them in the end.. # # For reasons of security it is recommended to run a proxy program # without root rights. It is recommended to create user that is not # used by any other program. # # Default: USER clamav GROUP clamav # If this is true HAVP is running as daemon in background. # For testing you may run HAVP at your text console. # # Default: # DAEMON true # # Process id (PID) of the main HAVP process is written to this file. # Be sure that it is writeable by the user under which HAVP is running. # /etc/init.d/havp script requires this to work. # # Default: PIDFILE /var/run/havp.pid # # For performance reasons several instances of HAVP have to run. # Specify how many servers (child processes) are simultaneously # listening on port PORT for a connection. Minimum value should be # the peak requests-per-second expected + 5 for headroom. # # For single user home use, 8 should be minimum. # For 500 users corporate use, start at 40. # # Value can and should be higher than recommended. Memory and # CPU usage is only affected by the number of concurrent requests. # # More childs are automatically created when needed, up to MAXSERVERS. # # Default: SERVERNUMBER 20 MAXSERVERS 99 # # Files where to log requests and info/errors. # Needs to have write permission for HAVP user. # # Default: ACCESSLOG /var/log/havpaccess.log ERRORLOG /var/log/havperror.log # # Syslog can be used instead of logging to file. # For facilities and levels, see "man syslog". # # Default: USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY local6 SYSLOGLEVEL info # # true: Log every request to access log # false: Log only viruses to access log # # Default: LOG_OKS false # # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included # # Default: LOGLEVEL 0 # # Temporary scan file. # This file must reside on a partition for which mandatory # locking is enabled. For Linux, use "-o mand" in mount command. # See "man mount" for details. Solaris does not need any special # steps, it works directly. # # Specify absolute path to a file which name must contain "XXXXXX". # These characters are used by system to create unique named files. # # Default: SCANTEMPFILE /var/tmp/tinyproxy/havp-XXXXXX # # Directory for ClamAV and other scanner created tempfiles. # Needs to be writable by HAVP user. Use ramdisk for best performance. # # Default: TEMPDIR /var/tmp/clamav # # HAVP reloads scanners virus database by receiving a signal # (send SIGHUP to PID from PIDFILE, see "man kill") or after # a specified period of time. Specify here the number of # minutes to wait for reloading. # # This only affects library scanners (clamlib, trophie). # Other scanners must be updated manually. # # Default: # DBRELOAD 60 # # Run HAVP as transparent Proxy? # # If you don't know what this means read the mini-howto # TransparentProxy written by Daniel Kiracofe. # (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html) # Definitely you have more to do than setting this to true. # You are warned! # # Default: TRANSPARENT true # # Specify a parent proxy (e.g. Squid) HAVP should use. # # Default: NONE # PARENTPROXY localhost # PARENTPORT 3128 # # Write X-Forwarded-For: to log instead of connecters IP? # # If HAVP is used as parent proxy by some other proxy, this allows # to write the real users IP to log, instead of proxy IP. # # Default: # FORWARDED_IP false # # Send X-Forwarded-For: header to servers? # # If client sent this header, FORWARDED_IP setting defines the value, # then it is passed on. You might want to keep this disabled for security # reasons. Enable this if you use your own parent proxy after HAVP, so it # will see the original client IP. # # Default: # X_FORWARDED_FOR false # # Port HAVP is listening on. # # Default: PORT 8080 # # IP address that HAVP listens on. # Let it be undefined to bind all addresses. # # Default: NONE BIND_ADDRESS 192.168.0.85 # # IP address used for sending outbound packets. # Let it be undefined if you want OS to handle right address. # # Default: NONE # SOURCE_ADDRESS 1.2.3.4 # # Path to template files. # # Default: TEMPLATEPATH /usr/local/etc/havp/templates/it # # Set to true if you want to prefer Whitelist. # If URL is Whitelisted, then Blacklist is ignored. # Otherwise Blacklist is preferred. # # Default: # WHITELISTFIRST true # # List of URLs not to scan. # # Default: # WHITELIST /usr/local/etc/havp/whitelist # # List of URLs that are denied access. # # Default: # BLACKLIST /usr/local/etc/havp/blacklist # # Is scanner error fatal? # # For example, archive types that are not supported by scanner # may return error. Also if scanner has invalid pattern files etc. # # true: User gets error page # false: No error is reported (viruses might not be detected) # # Default: # FAILSCANERROR true # # When scanning takes longer than this, it will be aborted. # Timer is started after HAVP has fully received all data. # If set too low, complex files/archives might produce timeout. # Timeout is always a fatal error regardless of FAILSCANERROR. # # Default: SCANNERTIMEOUT 30 # # Allow HTTP Range requests? # # false: Broken downloads can NOT be resumed # true: Broken downloads can be resumed # # Allowing Range is a security risk, because partial # HTTP requests may not be properly scanned. # # Whitelisted sites are allowed to use Range in any case. # # Default: # RANGE false # # If you really need more performance, you can disable scanning of # JPG, GIF and PNG files. These are probably the most common files # around, so it will save lots of CPU. But be warned, image exploits # exist and more could be found. Think twice if you want to disable! # # Default: SCANIMAGES true # # Temporary file will grow only up to this size. This means scanner # will scan data until this limit is reached. # # NOTE: Setting limit is a security risk, because some archives like # ZIP need all the data to be scanned properly! Use this only if you # can't afford temporary space for big files. Also scanner settings # will affect how many files will be scanned inside an archive etc. # # VALUE IN BYTES NOT KB OR MB!!!! # 0 = No size limit # # Default: MAXSCANSIZE 524288 # # Amount of data going to browser that is held back, until it # is scanned. When we know file is clean, this held back data # can be sent to browser. You can safely set bigger value, only # thing you will notice is some "delay" in beginning of download. # Virus found in files bigger than this might not produce HAVP # error page, but result in a "broken" download. # # VALUE IN BYTES NOT KB OR MB!!!! # # Default: # KEEPBACKBUFFER 200000 # # This setting complements KEEPBACKBUFFER. It tells how many Seconds to # initially receive data from server, before sending anything to client. # Even trickling is not done before this time elapses. This way files that # are received fast are more secure and user can get virus report page for # files bigger than KEEPBACKBUFFER. # # Setting to 0 will disable this, and only KEEPBACKBUFFER is used. # # Default: # KEEPBACKTIME 5 # # After Trickling Time (seconds), some bytes are sent to browser # to keep the connection alive. Trickling is not needed if timeouts # are not expected for files smaller than KEEPBACKBUFFER, but it is # recommended to set anyway. # # 0 = No Trickling # # Default: # TRICKLING 30 # # Downloads larger than MAXDOWNLOADSIZE will be blocked. # Only if not Whitelisted! # # VALUE IN BYTES NOT KB OR MB!!!! # 0 = Unlimited Downloads # # Default: # MAXDOWNLOADSIZE 0 # # Space separated list of strings to partially match User-Agent: header. # These are used for streaming content, so scanning is generally not needed # and tempfiles grow unnecessary. Remember when enabled, that user could # fake header and pass some scanning. HTTP Range requests are allowed for # these, so players can seek content. # # You can uncomment here a list of most popular players. # # Default: NONE # STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS # # Bytes to scan from beginning of streams. # When set to 0, STREAMUSERAGENT scanning will be completely disabled. # It is not recommended as there are some exploits for players. # # Default: # STREAMSCANSIZE 20000 ##### ##### ClamAV Library Scanner (libclamav) ##### ENABLECLAMLIB true # HAVP uses libclamav hardcoded pattern directory, which usually is # /usr/local/share/clamav. You only need to set CLAMDBDIR, if you are # using non-default DatabaseDirectory setting in clamd.conf. # # Default: NONE # CLAMDBDIR /path/to/directory # Should we block encrypted archives? # # Default: # CLAMBLOCKENCRYPTED false # Should we block files that go over maximum archive limits? # # Default: # CLAMBLOCKMAX false # Scanning limits inside archives (filesize = MB): # # Default: # CLAMMAXFILES 1000 # CLAMMAXFILESIZE 10 # CLAMMAXRECURSION 8 # CLAMMAXRATIO 250 ##### ##### ClamAV Socket Scanner (clamd) ##### ##### NOTE: ClamAV Library Scanner should be preferred (less overhead) ##### ENABLECLAMD false # Path to clamd socket # # Default: # CLAMDSOCKET /tmp/clamd # ..OR if you use clamd TCP socket, uncomment to enable use # # Clamd daemon needs to run on the same server as HAVP # # Default: NONE # CLAMDSERVER 127.0.0.1 # CLAMDPORT 3310 ##### ##### F-Prot Socket Scanner ##### ENABLEFPROT false # F-Prot daemon needs to run on same server as HAVP # # Default: # FPROTSERVER 127.0.0.1 # FPROTPORT 10200 ##### ##### AVG Socket Scanner ##### ENABLEAVG false # AVG daemon needs to run on the same server as HAVP # # Default: # AVGSERVER 127.0.0.1 # AVGPORT 55555 ##### ##### Kaspersky Socket Scanner ##### ENABLEAVESERVER false # Path to aveserver socket # # Default: # AVESOCKET /var/run/aveserver ##### ##### Sophos Scanner (Sophie) ##### ENABLESOPHIE false # Path to sophie socket # # Default: # SOPHIESOCKET /var/run/sophie ##### ##### Trend Micro Library Scanner (Trophie) ##### ENABLETROPHIE false # Scanning limits inside archives (filesize = MB): # # Default: # TROPHIEMAXFILES 1000 # TROPHIEMAXFILESIZE 10 # TROPHIEMAXRATIO 250 ##### ##### NOD32 Socket Scanner ##### ENABLENOD32 false # Path to nod32d socket # # Default: # NOD32SOCKET /tmp/nod32d.sock ##### ##### Avast! Socket Scanner ##### ENABLEAVAST false # Path to avastd socket # # Default: # AVASTSOCKET /var/run/avast4/local.sock # ..OR if you use avastd TCP socket, uncomment to enable use # # Avast daemon needs to run on the same server as HAVP # # Default: NONE # AVASTSERVER 127.0.0.1 # AVASTPORT 5036 Any suggestion? 20061912 The problem are generated by this request: Dec 19 15:53:19 havp[78592]: GET http://69.31.41.193/user2/bond0001/cc3.txt HTTP/1.0^M Host: 69.31.41.193^M Dec 19 15:53:19 havp[78620]: GET http://195.225.176.34/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:53:19 havp[78621]: GET http://195.225.176.34/user2/winsyst32.exe HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:53:19 havp[78615]: GET http://69.31.41.177/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.177^M Dec 19 15:53:19 havp[78608]: GET http://69.31.41.193/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.193^M Dec 19 15:53:20 havp[78590]: ( ????????????????????? ) Dec 19 15:53:20 havp[78591]: GET http://195.225.176.34/user2/bond0001/cc1.txt HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:54:20 havp[78625]: GET http://69.31.41.177/user2/bond0001/cc2.txt HTTP/1.0^M Host: 69.31.41.177^M Dec 19 15:55:20 havp[78596]: GET http://69.31.41.193/user2/bond0001/cc3.txt HTTP/1.0^M Host: 69.31.41.193^M Dec 19 15:55:20 havp[78598]: GET http://195.225.176.34/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:55:20 havp[78600]: GET http://195.225.176.34/user2/winsyst32.exe HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:55:20 havp[78603]: GET http://69.31.41.177/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.177^M Dec 19 15:55:20 havp[78599]: GET http://69.31.41.193/user2/bond0001/exe/it_0001.exe HTTP/1.0^M Host: 69.31.41.193^M Dec 19 15:55:20 havp[78610]: GET http://69.31.41.193/user2/winsyst32.exe HTTP/1.0^M Host: 69.31.41.193^M Dec 19 15:55:20 havp[78597]: GET http://195.225.176.34/user2/bond0001/cc1.txt HTTP/1.0^M Host: 195.225.176.34^M Dec 19 15:56:20 havp[78611]: GET http://69.31.41.177/user2/bond0001/cc2.txt HTTP/1.0^M Host: 69.31.41.177^M |
Author: | hege [ 28 Dec 2006 17:26 ] |
Post subject: | |
That log looks a bit funny.. is everything like that or just these requests? Whose requests are those? Cheers, Henrik |
Author: | vittorio [ 28 Dec 2006 18:17 ] |
Post subject: | |
The problem is generated byi a virus/trojan C:\WINDOWS\iexplorer32.dll C:\WINDOWS\mdm32.dll C:\WINDOWS\scrss32.dll C:\WINDOWS\spoolvs32.dll C:\WINDOWS\syshost.dll C:\WINDOWS\syst32.dll C:\WINDOWS\winsmgr32.dll Avira -> TR/Rootkit.Gen Kaspersky -> Trojan-Clicker.Win32.Costrat.r Microsoft -> Win32/Rustock.gen!B Prevx1 -> Covert.Code To log the header request i have been used into httphandler.cpp this line: 128 129 LogFile::ErrorMessage("%s",headerT.c_str()); 130 |
Author: | Spiral [ 12 Jan 2007 10:08 ] |
Post subject: | I see this also... |
I have NOD32 installed as a AV on desktop, as a second layer of scanning, and notice getting those "invalid request" entries in my HAVP log. If I uninstall NOD32 on desktops those messages go away. I am currently working with the NOD32 tech support to figure out why, but a solution does not look good. The developers are looking at this, so I guess we will see. Meanwhile, I will have find another desktop scanner. |
Author: | hege [ 12 Jan 2007 19:29 ] |
Post subject: | |
Why not just disable the NOD32 web monitor module (IMON)? And there is also different compatibility settings, did you try them? I'll try to debug a bit what kind of invalid request NOD32 is sending to HAVP.. |
Author: | Spiral [ 12 Jan 2007 23:24 ] |
Post subject: | I disabled the IMON monitor... |
Hope this helps... After disabling the IMON monitor I still keep recieving this in the HAVP log: 11/01/2007 20:39:55 Could not connect to server (u12.eset.com:80) 11/01/2007 20:40:41 Could not connect to server (u12.eset.com:80) 11/01/2007 20:41:16 Could not connect to server (u15.eset.com:80) 11/01/2007 20:42:02 Could not connect to server (u15.eset.com:80) 11/01/2007 20:42:20 Could not connect to server (u15.eset.com:80) 11/01/2007 20:43:14 (127.0.0.1) Invalid request from browser 11/01/2007 20:43:59 Could not connect to server (u13.eset.com:80) 11/01/2007 20:44:45 Could not connect to server (u13.eset.com:80) 11/01/2007 20:44:59 Could not connect to server (u14.eset.com:80) 11/01/2007 20:45:25 (127.0.0.1) Invalid request from browser 11/01/2007 20:45:45 Could not connect to server (u14.eset.com:80) 11/01/2007 20:47:09 (127.0.0.1) Invalid request from browser 11/01/2007 20:47:21 (127.0.0.1) Invalid request from browser 11/01/2007 20:47:21 (127.0.0.1) Invalid request from browser 11/01/2007 20:49:00 (127.0.0.1) Invalid request from browser 11/01/2007 20:51:56 (127.0.0.1) Invalid request from browser 11/01/2007 20:51:56 (127.0.0.1) Invalid request from browser 11/01/2007 20:51:56 (127.0.0.1) Invalid request from browser 11/01/2007 20:51:57 (127.0.0.1) Invalid request from browser 11/01/2007 20:54:12 (127.0.0.1) Invalid request from browser I can duplicate this behavior on another network, with a fresh install of XP and only NOD32 installed on the desktop, behind a HAVP proxy. I captured some packets with wireshark, and in all the invalid request attempts, I captured a "HTTP/1.0 403 Forbidden" packet when trying to surf to www.yahoo.com. Then on a network without NOD32 installed anywhere and behind HAVP, I captured the same web request packets and no "HTTP/1.0 403 Forbidden" packet, hence www.yahoo.com actually loads into the browser. |
Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |