Snorting OPTIONS method

[Gregory D Hough <mr6re9 () execulink com>]

Hello Snortsters,

I have been seeing a few OPTIONS method to HTTPD and was wondering if 
there is a rule I could use to grab these packets. The reason is because 
Apache has been giving these requests a code 200 and I want to know what 
if anything is being returned. These are the most recent:

81.173.167.234 - - [17/Apr/2005:14:55:17 -0400] "OPTIONS / HTTP/1.1" 200 
- "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
195.174.123.203 - - [20/Apr/2005:04:31:14 -0400] "OPTIONS / HTTP/1.1" 
200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
213.60.52.90 - - [27/Apr/2005:10:48:48 -0400] "OPTIONS / HTTP/1.1" 200 - 
"-" "Microsoft-WebDAV-MiniRedir/5.1.2600"
66.203.191.192 - - [09/May/2005:15:57:20 -0400] "OPTIONS / HTTP/1.1" 200 
- "-" "-"
66.203.191.192 - - [09/May/2005:15:57:25 -0400] "OPTIONS / HTTP/1.1" 200 
- "-" "-"
66.203.191.192 - - [09/May/2005:15:57:25 -0400] "OPTIONS / HTTP/1.1" 200 
- "-" "-"
66.203.191.192 - - [09/May/2005:15:57:25 -0400] "OPTIONS / HTTP/1.1" 200 
- "-" "-"
192.168.1.251 - - [10/May/2005:09:53:09 -0400] "OPTIONS / HTTP/1.1" 400 
226 "-" "-"

My main concern is with the four requests on May 09 which managed to 
spoof my own IP address. I used telnet to see how Apache would respond 
locally and was given a code 400. Snort doesn't log any of these.

Thanks,
farmer6re9


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users