Snort mailing list archives
Re: Whisker Head?
From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Fri, 22 Jun 2001 11:13:53 +0100
The problem is not that it's HEAD method - it's pretty legitimate as a web request method and indeed is used by proxies, but there are basically two rules in snort configuration that say "whisker HEAD attack" - one checks for substring "HEAD /./" which is a bad request :) (if it really appears in a request part, not in cookie/whatever else part) and the other rule just checks for a long "HEAD" request - so if proxy requests a long URL or just sends lots of headers (cookies and stuff), then it will be triggered (it simply checks datasize>512 bytes) The latter is not a correct way to detect whisker attacks or whatever evasion/reconaissance over http. There shoud be some basic parsing done in http module and it would be nice to have a possibility to match, say, request field, headers field and data field in http request separately. And dont start me about how many (ehm, thousands a day) of absolutely clueless unicode alerts I receive from unidecode module simply because it matches something in parameter/cookies part instead of a request field :) (I hope this will be fixed soon) regards, W. Thomas Whipp wrote:
I used to see a LOT of these from proxy servers at a certain well known UK ISP (I belive they where NetApp's) - as far as I can tell these servers sometimes (always?) use a head to check the last modified date of content before serving it to a user. Tom-----Original Message----- From: Sheahan, Paul (PCLN-NW)[mailto:Paul.Sheahan () priceline com]Sent: 22 June 2001 07:22 To: 'Snort-users () lists sourceforge net' Subject: [Snort-users] Whisker Head? I see quite a few "WEB-MISC Whisker HEAD" alerts on adailybasis in my Snort alert log. I read into it and apparently the whiskerscanner canrequest web pages using HEAD instead of GET. When I look at the traces of machines that attempted topullsome pages using HEAD, the pages look like a standard web page, and nothing looks out of the norm other than the word HEAD (instead of GET). My question is, is HEAD ever used during normal activity, or is it definitelya sign ofWhisker? Because the URL being retrieved looks normal, Iwasthinking maybe could have been valid traffic? Or does whisker pull valid pages so all looks normal, meanwhile it is gathering other vulnerabilityrelated info?Thanks _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Whisker Head? Sheahan, Paul (PCLN-NW) (Jun 21)
- <Possible follow-ups>
- RE: Whisker Head? Thomas Whipp (Jun 22)
- Re: Whisker Head? Vitaly Osipov (Jun 22)