Snort mailing list archives
odd little sequence PROPFIND -
From: Mark Rowlands <mark.rowlands () minmail net>
Date: Fri, 2 Nov 2001 22:37:36 +0100
I received this little lot inside 30 seconds.....any one care to hit me with a clue stick.....fwiw the client says ie 6.0b nt 5.1.....and downloaded a couple of files quite acceptably and then ran riot with this lot :- some extracts from the apache log are included. (apache 2.0 without mod_dav!) my real question is.....is the some sort of attempt to gain privilege or info or is it just normally obnoxious behaviour from IE6? WEB-IIS _vti_inf access 2001-11-0207:58:27 4.3.2.1:51659 1.2.3.4:80 TCP WEB-IIS _vti_inf access 2001-11-0207:58:27 4.3.2.1:51659 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:27 4.3.2.1:51660 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:27 4.3.2.1:51660 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:38 4.3.2.1:51661 1.2.3.4:80 TCP WEB-IIS _vti_inf access 2001-11-0207:58:42 4.3.2.1:51660 1.2.3.4:80 TCP WEB-IIS _vti_inf access 2001-11-0207:58:42 4.3.2.1:51660 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-02 07:58:42 4.3.2.1:51663 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-02 07:58:42 4.3.2.1:51663 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52 4.3.2.1:51661 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:58:52 4.3.2.1:51661 1.2.3.4:80 TCP WEB-IIS _vti_inf access 2001-11-0207:58:59 4.3.2.1:51665 1.2.3.4:80 TCP WEB-IIS _vti_inf access 2001-11-0207:58:59 4.3.2.1:51665 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:59 4.3.2.1:51666 1.2.3.4:80 TCP [bugtraq] WEB-FRONTPAGE _vti_rpc access 2001-11-0207:58:59 4.3.2.1:51666 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09 4.3.2.1:51667 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09 4.3.2.1:51667 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09 4.3.2.1:51667 1.2.3.4:80 TCP [arachNIDS] WEB-IIS view source via translate header 2001-11-0207:59:09 4.3.2.1:51667 1.2.3.4:80 TCP APACHE LOGS "PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505" "GET /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 200 47104 "http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)" "OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access Internet Publishing Provider Cache Manager" "GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)" "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0" "OPTIONS /web2/incoming/QB/Identifying%20_client_requirements.doc HTTP/1.1" 200 0 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1" "PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505" "PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505" "GET /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 31744 "http://1.2.3.4/web2/incoming/QB/" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)" "OPTIONS /web2/incoming/QB HTTP/1.1" 200 0 "-" "Microsoft Data Access Internet Publishing Provider Cache Manager" "GET /_vti_inf.html HTTP/1.1" 404 274 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)" "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 288 "-" "MSFrontPage/4.0" "OPTIONS /web2/incoming/QB/Print%20Servers.doc HTTP/1.1" 200 0 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1" "PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505" "PROPFIND /web2 HTTP/1.1" 405 299 "-" "Microsoft-WebDAV-MiniRedir/5.1.2505" -- You're not my type. For that matter, you're not even my species!!! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- odd little sequence PROPFIND - Mark Rowlands (Nov 02)