Try actually reading the code ... you can disable the whole feature via a
simple #define.
/*
* This is the size of the table that holds IP addresses we don't want to
* talk to (due to sending an invalid - i.e. hostile) URL
*
* Valid values are 0 (disables) up to whatever.
*/
#define MAX_NUM_BAD_IP_ADDRESSES 3
and
#if defined(MAX_NUM_BAD_IP_ADDRESSES) && (MAX_NUM_BAD_IP_ADDRESSES > 0)
/* Note if the size of the table is zero, we simply nullify all of this
code (why bother wasting the work effort)
Burton M. Strauss III <[EMAIL PROTECTED]>, June 2002
*/
for(i=0; i<MAX_NUM_BAD_IP_ADDRESSES; i++) {
if(addrcmp(&myGlobals.weDontWantToTalkWithYou[i].addr,&from) == 0) {
if((myGlobals.weDontWantToTalkWithYou[i].lastBadAccess +
PARM_WEDONTWANTTOTALKWITHYOU_INTERVAL) < myGlobals.actTime) {
/*
* We 'forget' the address of this nasty guy after 5 minutes
* since its last bad access as we hope that he will be nicer
* with ntop in the future.
*/
memset(&myGlobals.weDontWantToTalkWithYou[i], 0,
sizeof(BadGuysAddr));
traceEvent(CONST_TRACE_INFO, "clearing lockout for address %s",
_addrtostr(&from, requestedURL, sizeof(requestedURL)));
} else {
myGlobals.weDontWantToTalkWithYou[i].count++;
myGlobals.numHandledBadrequests[myGlobals.newSock > 0]++;
traceEvent(CONST_TRACE_ERROR, "Rejected request from address %s (it
previously sent ntop a bad request
)",
_addrtostr(&from, requestedURL, sizeof(requestedURL)));
return;
}
}
}
#endif
You might want to do that (disable the feature) in a development situation.
For production use, not wasting time on requests from an attacker allows
ntop to focus on it's primary mission: to try and keep up with the incoming
packets...
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Tamas Kovacshazy
Sent: Sunday, July 03, 2005 8:51 AM
To: [email protected]
Subject: [Ntop-dev] Re: URL problem++
Hi,
I was not patient enough to wait for your "BadGuy" timeout nor I identified
it in http.c (spent approximately 10 minutes reading it, I must accept).
Sorry for your time.
Anyway, I would simple return a "Not Found", and do not bother to maintain a
BadGuy timeout for these strange URL-s. Most of them are caused by simple
config errors or badly written scripts. These errors are corrected fast, as
in my case (I triggered the code by some badly constructed reverse proxy
config).
Best regards,
khazy
____________________________________________________________________________
___
Tamas Kovacshazy E-mail: [EMAIL PROTECTED] WWW:
http://www.mit.bme.hu/~khazy
Budapest University of Technology and Economics
Department of Measurement and Information Systems WWW:
http://www.mit.bme.hu _______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
