Snort mailing list archives
Re: http_inspect: UNKNOWN METHOD
From: Greg Williams <gwillia5 () uccs edu>
Date: Tue, 11 Dec 2012 18:48:44 +0000
I sampled a few, it's any one of them actually. HEAD, POST, GET, etc. http_inspect not working correctly? -----Original Message----- From: Matt Watchinski [mailto:mwatchinski () sourcefire com] Sent: Tuesday, December 11, 2012 11:41 AM To: Greg Williams Cc: Jeremy Hoel; snort-users () lists sourceforge net Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD What method does it think is unknown? These are the default methods in the 294 conf GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA If its not in that list, then it would alert. Cheers, -matt On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 () uccs edu> wrote:
Thanks for the confirmation. I've been running this for 2 years with only minor tweaks to the rulesets and this is the first time I've seen this. It has hits on 4075 internal addresses. -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Tuesday, December 11, 2012 11:27 AM To: Greg Williams Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD We gotten a lot of alerts for that before.. and we actually have that in our disabled.conf file. We got back and look at them semi often to see if we can work out the deal, but for now we have this disabled. On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 () uccs edu> wrote:I updated the rules (free VRT) last Friday and didn't look at the alerts until today. I've received 158,000 alerts for http_inspect: UNKNOWN METHOD. SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119; rev: 1; metadata: rule-type preproc ; classtype:unknown; ) I don't see a reason for this, and I can put a threshold on this rule, but is anyone else seeing the same kind of alerts within the past few days? --------------------------------------------------------------------- - -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------------------------- -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Matthew Watchinski V.P. Vulnerability Research (VRT) Sourcefire, Inc. Office: 410-423-1928 http://vrt-blog.snort.org && http://www.snort.org/vrt/ ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- http_inspect: UNKNOWN METHOD Greg Williams (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Jeremy Hoel (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Greg Williams (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Matt Watchinski (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Greg Williams (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Nick Randolph (Dec 14)
- Re: http_inspect: UNKNOWN METHOD Greg Williams (Dec 11)
- Re: http_inspect: UNKNOWN METHOD Jeremy Hoel (Dec 11)