Question Fail2Ban filter for this strange log entry?

[Maris]

Hello, I've recently found several very strange entries in my access log:
xx.xxx.xx.xx - - [08/Oct/2017:00:23:56 +0300] "" 400 0 "-" "-"

there is no host, there is no post or get or anything.. only IP and error number,
my question is how would Fail2Ban's filter look to ban this IP?

failregex = ^<HOST>.*"(GET|POST).*" (400) .*$

This is not working since there is no host and Get or Post either

Please help, thanks!

 

[IgorG]

In most cases, such kind of 400 responses indicates that the client sends a too large header. Option

large_client_header_buffers 4 16k;

should help.

 

[Maris]

This was a malicious traffic, not a regular one, that's why i am asking how to auto-ban such requests through Fail2Ban based on the line i provided from logs. Thanks.