Re: Invalid character found in method name. HTTP method names must be tokens
On Thu, Feb 7, 2019 at 6:57 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Sean, > > On 2/7/19 14:01, Sean Dawson wrote: > > Hello, we're using Tomcat 8.5_35 on Linux (CentOS7) and Windows > > (2016 Server and above) and here and there we see this in the > > logs... > > > > org.apache.coyote.http11.AbstractHttp11Processor.process Error > > parsing HTTP request header Note: further occurrences of HTTP > > header parsing errors will be logged at DEBUG level. > > java.lang.IllegalArgumentException: Invalid character found in > > method name. HTTP method names must be tokens at > > org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abstr > actNioInputBuffer.java:232) > > > > I can provide the full stack trace if needed. But we've determined > > it arises due to requests like this (from the access logs)... > > > > "-" 400 - > > > > I don't know how that happens. Maybe hacking attempt? > > What is the source IP? Many monitoring systems and load-balancers use > weird requests like that, so it might not be an attack. > > I think it was North or South Korea, or China. It was not from somewhere we have customers. Thanks to you and Mark for your replies. > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxcxe0ACgkQHPApP6U8 > pFjc3xAAvh/9tv/0CiK42iM+/zq6Nwg2+OZiGKBr5YFC9kj77DlmTz2OZOXKDC8j > oSnhqEp7F1PTQ8vAtUJqCcTkrA/8Ul37mn4oOw8zmSowkQcofhDiMIzo0DwTXGmQ > uJHwKfrwNcb480bF3PhQAydzLN+BsSbmJVMl2YKbpJ9VALj1pG3uqQ9r3/C7hM5a > 6oJkqOLT/9EM8HW5Nu5InlMz6R+j0sNTZEAQhwYBY3S+tNHatQi5j7BXZbKu9J05 > M3UIe49nTYa45FjdybFPRJ5dy9JK4UZPwZGXCgqu4zrKX3XhgIS8LM0EZgN8M92E > IUuIW9ZdbaSB2I4BJUSQu8mrBJYpJJJnM8Ku4oFuh0/YxITniTdykBr+SblAIV4t > fb9aCvWysw/A/LKLvt/8I0Xgxqn1Vxw86iFXIDD4k/Q6hgB8nZPdCzAIt4fvUiwP > zVdv2FzBI1YPpjXF77GMPNamEa711UxsjxlYRkErULwUkhopd+khM0/3QYhgIONw > xCEeAiBQ85h3XnkgQqz/unecAkTi7s7yi09DBHCk52I4LW7/ZlT0jtjelVA/seCa > +Tk2r5xvxhrOJn4wiyTCnLxV0YEucQzZVNErH0NB9Kl2UstaM/bsDNGEJT7HR+QK > egD2Zm89nrwzX+EVS++T7SxX6r1EjZV32Qn5t3jpr2d/djmHGEM= > =jeRq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Invalid character found in method name. HTTP method names must be tokens
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sean, On 2/7/19 14:01, Sean Dawson wrote: > Hello, we're using Tomcat 8.5_35 on Linux (CentOS7) and Windows > (2016 Server and above) and here and there we see this in the > logs... > > org.apache.coyote.http11.AbstractHttp11Processor.process Error > parsing HTTP request header Note: further occurrences of HTTP > header parsing errors will be logged at DEBUG level. > java.lang.IllegalArgumentException: Invalid character found in > method name. HTTP method names must be tokens at > org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(Abstr actNioInputBuffer.java:232) > > I can provide the full stack trace if needed. But we've determined > it arises due to requests like this (from the access logs)... > > "-" 400 - > > I don't know how that happens. Maybe hacking attempt? What is the source IP? Many monitoring systems and load-balancers use weird requests like that, so it might not be an attack. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxcxe0ACgkQHPApP6U8 pFjc3xAAvh/9tv/0CiK42iM+/zq6Nwg2+OZiGKBr5YFC9kj77DlmTz2OZOXKDC8j oSnhqEp7F1PTQ8vAtUJqCcTkrA/8Ul37mn4oOw8zmSowkQcofhDiMIzo0DwTXGmQ uJHwKfrwNcb480bF3PhQAydzLN+BsSbmJVMl2YKbpJ9VALj1pG3uqQ9r3/C7hM5a 6oJkqOLT/9EM8HW5Nu5InlMz6R+j0sNTZEAQhwYBY3S+tNHatQi5j7BXZbKu9J05 M3UIe49nTYa45FjdybFPRJ5dy9JK4UZPwZGXCgqu4zrKX3XhgIS8LM0EZgN8M92E IUuIW9ZdbaSB2I4BJUSQu8mrBJYpJJJnM8Ku4oFuh0/YxITniTdykBr+SblAIV4t fb9aCvWysw/A/LKLvt/8I0Xgxqn1Vxw86iFXIDD4k/Q6hgB8nZPdCzAIt4fvUiwP zVdv2FzBI1YPpjXF77GMPNamEa711UxsjxlYRkErULwUkhopd+khM0/3QYhgIONw xCEeAiBQ85h3XnkgQqz/unecAkTi7s7yi09DBHCk52I4LW7/ZlT0jtjelVA/seCa +Tk2r5xvxhrOJn4wiyTCnLxV0YEucQzZVNErH0NB9Kl2UstaM/bsDNGEJT7HR+QK egD2Zm89nrwzX+EVS++T7SxX6r1EjZV32Qn5t3jpr2d/djmHGEM= =jeRq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Invalid character found in method name. HTTP method names must be tokens
On 07/02/2019 19:01, Sean Dawson wrote: > Hello, we're using Tomcat 8.5_35 on Linux (CentOS7) and Windows (2016 > Server and above) and here and there we see this in the logs... > > org.apache.coyote.http11.AbstractHttp11Processor.process Error parsing HTTP > request header > Note: further occurrences of HTTP header parsing errors will be logged at > DEBUG level. > java.lang.IllegalArgumentException: Invalid character found in method > name. HTTP method names must be tokens > at > org.apache.coyote.http11.AbstractNioInputBuffer.parseRequestLine(AbstractNioInputBuffer.java:232) > > I can provide the full stack trace if needed. But we've determined it > arises due to requests like this (from the access logs)... > > "-" 400 - > > I don't know how that happens. Maybe hacking attempt? > > If I use Google, all I can find for the exception is that someone is > attempting to use https instead of http (their server is configured for the > latter only). We're using https on our server. > > It's very difficult to search for the request line above. > > What is this from? Like the message says, someone submitted a request with an invalid HTTP method. Something like: AAA:XXX /index.html HTTP/1.1 Host: your.server.com etc. > Or at least, is there a way to stop the exception stack > from showing up in the logs? Thanks. -Dorg.apache.juli.logging.UserDataHelper.CONFIG=DEBUG_ALL moves all messages to debug level. NONE stops them completely. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
