Re: http_inspect: UNKNOWN METHOD

[Greg Williams <gwillia5 () uccs edu>]

I sampled a few, it's any one of them actually.  HEAD, POST, GET, etc.  http_inspect not working correctly?  

-----Original Message-----
From: Matt Watchinski [mailto:mwatchinski () sourcefire com] 
Sent: Tuesday, December 11, 2012 11:41 AM
To: Greg Williams
Cc: Jeremy Hoel; snort-users () lists sourceforge net
Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD

What method does it think is unknown?

These are the default methods in the 294 conf

GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE 
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST 
CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA

If its not in that list, then it would alert.

Cheers,
-matt

On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 () uccs edu> wrote:
> Thanks for the confirmation.  I've been running this for 2 years with only minor tweaks to the rulesets and this is 
> the first time I've seen this.  It has hits on 4075 internal addresses.
>
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel () gmail com]
> Sent: Tuesday, December 11, 2012 11:27 AM
> To: Greg Williams
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
>
> We gotten a lot of alerts for that before.. and we actually have that in our disabled.conf file.
>
> We got back and look at them semi often to see if we can work out the deal, but for now we have this disabled.
>
> On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 () uccs edu> wrote:
> > I updated the rules (free VRT) last Friday and didn't look at the 
> > alerts until today.  I've received 158,000 alerts for http_inspect: UNKNOWN METHOD.
> > SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid:
> > 119;
> > rev: 1; metadata: rule-type preproc ; classtype:unknown; )
> >
> >
> >
> > I don't see a reason for this, and I can put a threshold on this 
> > rule, but is anyone else seeing the same kind of alerts within the past few days?
> >
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > -
> > -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. 
> > Free Trial Remotely access PCs and mobile devices and provide instant 
> > support Improve your efficiency, and focus on delivering more 
> > value-add services Discover what IT Professionals Know. Rescue 
> > delivers http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest 
> > Snort news!
>
> ----------------------------------------------------------------------
> -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free 
> Trial Remotely access PCs and mobile devices and provide instant 
> support Improve your efficiency, and focus on delivering more 
> value-add services Discover what IT Professionals Know. Rescue 
> delivers http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!