Re: Whisker Head?

[Vitaly Osipov <vosipov () wolfegroup ie>]

The problem is not that it's HEAD method - it's pretty legitimate as a
web request method and indeed is used by proxies, but there are
basically two rules in snort configuration that say "whisker HEAD
attack" - one checks for substring "HEAD /./" which is a bad request :)
(if it really appears in a request part, not in cookie/whatever else
part) and the other rule just checks for a long "HEAD" request - so if
proxy requests a long URL or just sends lots of headers (cookies and
stuff), then it will be triggered (it simply checks datasize>512 bytes)

The latter is not a correct way to detect whisker attacks or whatever
evasion/reconaissance over http. There shoud be some basic parsing done
in http module and it would be nice to have a possibility to match, say,
request field, headers field and data field in http request separately.
And dont start me about how many (ehm, thousands a day) of absolutely
clueless unicode alerts I receive from unidecode module simply because
it matches something in parameter/cookies part instead of a request
field :) (I hope this will be fixed soon)

regards,
W.

Thomas Whipp wrote:
> I used to see a LOT of these from proxy servers at a certain
> well known UK ISP (I belive they where NetApp's) - as far as
> I can tell these servers sometimes (always?) use a head to
> check the last modified date of content before serving it to
> a user.
>
>         Tom
>
> > -----Original Message-----
> > From: Sheahan, Paul (PCLN-NW)
> [mailto:Paul.Sheahan () priceline com]
> > Sent: 22 June 2001 07:22
> > To: 'Snort-users () lists sourceforge net'
> > Subject: [Snort-users] Whisker Head?
> >
> >
> > I see quite a few "WEB-MISC Whisker HEAD" alerts on a
> daily
> > basis in my
> > Snort alert log. I read into it and apparently the whisker
> scanner can
> > request web pages using HEAD instead of GET.
> >
> > When I look at the traces of machines that attempted to
> pull
> > some pages
> > using HEAD, the pages look like a standard web page, and
> > nothing looks out
> > of the norm other than the word HEAD (instead of GET). My
> > question is, is
> > HEAD ever used during normal activity, or is it definitely
> a sign of
> > Whisker? Because the URL being retrieved looks normal, I
> was
> > thinking maybe
> > could have been valid traffic? Or does whisker pull valid
> > pages so all looks
> > normal, meanwhile it is gathering other vulnerability
> related info?
> > Thanks
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users