Mod_Security blocking some scanning

Hello all,

really need some helps here, I need to block the vulnerable scanner, I Kept getting these logs on my linux apache server:

[error] [client 71.59.164.182] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Code (markup):

I have input the rules below on my mod_security 1.9 but I still getting those logs, meaning they still able to scan... Please tell me what went wrong and what rules should I put in mod_secruity 1.9 to effectively block those scanning.

SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind"
SecFilterSelective REQUEST_URI "\w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:"
SecFilterSelective REQUEST_URI "w00tw00t\.at\.ISC\.SANS\.DFind:\)"

Code (markup):

Thank you.

 

afaik, it's a port scanner, and is not specific to just Apache. there are other more important log entries you need to be concerned about.

I'm currently using mod_security 1.9.4 on Apache 2.2.4 and works great for what I'm using it for. in addition to built-in Apache logging features, mod_security provides a way for me to dig deeper into logging and implement restrictions as issues arise.

mod_security2 is a different beast, and I'm still reading documentation so not quite ready yet to migrate my 500+ rulesets/directives. :/