Re: LINK Question

[Tomi Tuominen <Tomi.Tuominen () F-SECURE COM>]

"Robert G. Ferrell" wrote:
> > They were unsuccessful because they got error code 501.
> > 501 means that your server does not support the facility required.
> > i.e LINK method. 501 means "Not implemented".
>
> Sorry, I apparently didn't make myself clear.  I know what the Link
> method does and what 501 means. What I don't know is why these
> requests come in every three hours, and what they're trying
> to accomplish.  Is it just a poll to see if any meta information
> has changed at the site?  I'd like to filter these out of my logs,
> but not until I assure myself that they aren't of any consequence,
> security-wise.

IMHO, you can filter those entries out of your logs. If those requests
where successful (i.e. return code 200) I would consider investigating
this further but because the response is 501 it means that your server
simply discards the request. My guess is that somebody has misconfigured
their www probe/search engine spider etc.

_If_ you want to investigate this further you could enable user agent
directive. This way you can see what program is generating that entry.
(Ofcourse this will not help you if somebody is deliberately trying to
fool you (i.e. using lynx, user agent set to 'Darth Vader') but then
again you know that there is something going on ...)

HTH,

--T

--
[   Tomi 'T' Tuominen
[   F-Secure Corporation / Security Research
[   http://www.F-Secure.com