Yes. I filter and monitor all SEARCH requests and I have been seeing plenty of those.
Since SEARCH is a webdav command I assume the following would prevent webdav from working. The filter as written also block .exe, .dll, .ida etc file requests.
Personally I log the requests but you could change it to ignore them.
proc vt_notfound_from_filter {conn args why} {
# decided this one is harmless enough for an exception to the dll rule
if {[lsearch -glob [list {/_vti_bin/owssvr.dll}] [ns_conn url]] > -1} {
return filter_ok
}
set host_header [ns_set iget [ns_conn headers] "Host"]
ns_log error "FROM=\"[ns_conn peeraddr]\",MSG=\"Intrusion attempt\",TARGET=\"[ns_conn method] ${host_header}[ns_conn url]?[ns_conn query]\""
ns_returnforbidden
return filter_return
}
foreach pat [list *.bak* *.inc *.swt *CVS* *.ida *.exe* *.dll* /includes* /cgi-bin*] {
# do not serve backup or include files and log attempts to hit them
ad_register_filter preauth GET ${pat} vt_notfound_from_filter
ad_register_filter preauth POST ${pat} vt_notfound_from_filter
ad_register_filter preauth HEAD ${pat} vt_notfound_from_filter
}
foreach pat [list BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH COPY DELETE LOCK MKCOL MOVE NOTIFY POLL PROPFIND SEARCH SUBSCRIBE UNLOCK UNSUBSCRIBE PUT CONNECT] {
# do not serve backup or include files
ns_register_filter preauth ${pat} * vt_notfound_from_filter
}
