Security Incidents mailing list archives
Re: LINK Question
From: Tomi Tuominen <Tomi.Tuominen () F-SECURE COM>
Date: Tue, 13 Feb 2001 14:21:20 +0200
"Robert G. Ferrell" wrote:
They were unsuccessful because they got error code 501. 501 means that your server does not support the facility required. i.e LINK method. 501 means "Not implemented".Sorry, I apparently didn't make myself clear. I know what the Link method does and what 501 means. What I don't know is why these requests come in every three hours, and what they're trying to accomplish. Is it just a poll to see if any meta information has changed at the site? I'd like to filter these out of my logs, but not until I assure myself that they aren't of any consequence, security-wise.
IMHO, you can filter those entries out of your logs. If those requests where successful (i.e. return code 200) I would consider investigating this further but because the response is 501 it means that your server simply discards the request. My guess is that somebody has misconfigured their www probe/search engine spider etc. _If_ you want to investigate this further you could enable user agent directive. This way you can see what program is generating that entry. (Ofcourse this will not help you if somebody is deliberately trying to fool you (i.e. using lynx, user agent set to 'Darth Vader') but then again you know that there is something going on ...) HTH, --T -- [ Tomi 'T' Tuominen [ F-Secure Corporation / Security Research [ http://www.F-Secure.com
Current thread:
- LINK Question Robert G. Ferrell (Feb 10)
- Re: LINK Question Tomi Tuominen (Feb 11)
- <Possible follow-ups>
- Re: LINK Question Robert G. Ferrell (Feb 12)
- Re: LINK Question Tomi Tuominen (Feb 13)