Lots of previously unseen WebDAV alerts?

[James Garrison <jhg () athensgroup com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Starting last Thursday 28 Feb, we began seeing many instances
of the following alerts:

WEB-IIS webdav file lock attempt
WEB-IIS view source via translate header

The first refers to a WebDAV "LOCK" request, and the second
looks for "Translate: f".

Our public web server does allow WebDAV requests, but only on
port 443 with authentication, and only to authorized users.
The server has been running in its present configuration for
about a year (i.e. we didn't just enable WebDAV), and there
were no configuration changes on February 28th.
All these alerts are occurring on port 80.  There does not
appear to be a pattern to the originating IPs... they're
all over the world.  We've been running snort for the past
4 months, and 2/28/2002 is the first time either of these
alerts occurred.  Since then we've seen 162 file lock
attempts and 364 "translate header".  We have not changed
the snort ruleset in the last 30 days.

Comments?  Insights?

- --
James Garrison                                Athens Group, Inc.
mailto:jhg () athensgroup com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPITwxTI+YtJJjTMcEQKb0gCguvx9gurZlsExaR/ocE85LWRLstcAoPP0
pqcgddAZUu/y9emw5EKfskKP
=KkxE
-----END PGP SIGNATURE-----


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users