HTTPBAN.SYS(8)          XR32 REFERENCE MANUAL                25/1/2013

NAME
        HTTPBAN.SYS -- Blocks Malicious HTTP Requests (Optional).

DESCRIPTION
        XR32's HTTP server doesn't suffer from the usual Windows
        vulnerabilites, so malicious HTTP requests designed to
        exploit them are simply a bandwidth-wasting nuisance
        rather than a real threat. You can frustrate the hackers
        by deploying this optional file.

        The HTTPBAN.SYS file contains "signatures" or "templates"
        of typical malicious request URL's. For example a request
        for "default.ida" is part of a Code Red Worm attack, whilst
        requests for "cmd.exe" are an attempt to locate vulnerable
        Windows servers.

        Each template is specified on a seperate line, can be up
        to 127 characters long, and must start in the leftmost
        column. The templates are compared in a sliding match with
        each requested URL.

        If any part of the first 256 bytes of the URL matches a
        template, the sender's IP address is entered into a ban
        list and all further IP datagrams from that host are
        ignored until XR32 is restarted.

        Up to 20 hosts can be banned simultaneously.

OPTIONS
        The file may contain comments, which must begin with
        '#' or ';' in the left-most column.

        If a template is preceded by the word ANYCASE, a case
        independent match is performed, otherwise the match is
        case-sensitive. There must be one or more spaces between
        the word ANYCASE and the template.

EXAMPLES
        default.ida
        ANYCASE cmd.exe
        /contac.php

FILES
       If required, HTTPBAN.SYS must be located in the same
       directory as XR32.EXE.

SEE ALSO
        HTTP.ACL(8) -- Egress Control for HTTP Proxy / Tunnel
        HTTP.SYS(8) -- HTTP Rewrite / Proxy rules

HTTPBAN.SYS(8)               END OF DOCUMENT