Snort mailing list archives
Lots of previously unseen WebDAV alerts?
From: James Garrison <jhg () athensgroup com>
Date: Tue, 05 Mar 2002 10:22:37 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Starting last Thursday 28 Feb, we began seeing many instances of the following alerts: WEB-IIS webdav file lock attempt WEB-IIS view source via translate header The first refers to a WebDAV "LOCK" request, and the second looks for "Translate: f". Our public web server does allow WebDAV requests, but only on port 443 with authentication, and only to authorized users. The server has been running in its present configuration for about a year (i.e. we didn't just enable WebDAV), and there were no configuration changes on February 28th. All these alerts are occurring on port 80. There does not appear to be a pattern to the originating IPs... they're all over the world. We've been running snort for the past 4 months, and 2/28/2002 is the first time either of these alerts occurred. Since then we've seen 162 file lock attempts and 364 "translate header". We have not changed the snort ruleset in the last 30 days. Comments? Insights? - -- James Garrison Athens Group, Inc. mailto:jhg () athensgroup com 5608 Parkcrest Dr http://www.athensgroup.com Austin, TX 78731 PGP: RSA=0x92E90A3B DH/DSS=0x498D331C (512) 345-0600 x150 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPITwxTI+YtJJjTMcEQKb0gCguvx9gurZlsExaR/ocE85LWRLstcAoPP0 pqcgddAZUu/y9emw5EKfskKP =KkxE -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lots of previously unseen WebDAV alerts? James Garrison (Mar 05)