Snort mailing list archives
RE: Snorting OPTIONS method
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 10 May 2005 11:46:39 -0400
There's a Bleeding Edge rule that does this for the CONNECT method (often used to tunnel non-HTTP protocols through a proxy, or proxy off of a misconfigured Apache install, etc.) alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy CONNECT Request"; flow:to_server,established; content:"CONNECT "; depth:8; nocase; classtype:bad-unknown; sid:2001675; rev:1;) Just replace 'CONNECT' with 'OPTIONS' and assign it a new sid (or remove the sid if you don't use them in reporting), copy it into your local.rules, restart Snort and you should be all set. PaulM -----Original Message----- Subject: [Snort-users] Snorting OPTIONS method Hello Snortsters, I have been seeing a few OPTIONS method to HTTPD and was wondering if there is a rule I could use to grab these packets. The reason is because Apache has been giving these requests a code 200 and I want to know what if anything is being returned. These are the most recent: My main concern is with the four requests on May 09 which managed to spoof my own IP address. I used telnet to see how Apache would respond locally and was given a code 400. Snort doesn't log any of these. ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snorting OPTIONS method Gregory D Hough (May 10)
- RE: Snorting OPTIONS method Paul Melson (May 10)
- Re: Snorting OPTIONS method Gregory D Hough (May 10)
- RE: Snorting OPTIONS method Paul Melson (May 10)