Re: Use of HEAD in web server scan

["Mike Lewinski" <mike () rockynet com>]

> I went back to the snort logs and had a look at the packet dumps and
> found that they were all HEAD requests which appear not to be logged by
> IIS.

whisker uses HEAD requests by default.

IIS will log HEAD requests, but may require some reconfiguration of logging
parameters. I.E. I just checked and this was logged on an IIS 4 server:

13:31:51 195.92.95.69 W3SVC30 HEAD /index.htm - 200 284 153 80 Mozilla/4.0+
(compatible;+Netcraft+Web+Server+Survey) http://www.netcraft.com/survey/

I've selected "W3C Extended Log File Format" in the MMC. Also under
"Properties" I have checked "Method" (plus everything else of interest).

If you find that these settings are present on your system, perhaps the logs
were cleaned.

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com