RE: Snorting OPTIONS method

["Paul Melson" <psmelson () comcast net>]

There's a Bleeding Edge rule that does this for the CONNECT method (often
used to tunnel non-HTTP protocols through a proxy, or proxy off of a
misconfigured Apache install, etc.)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE Proxy
CONNECT Request"; flow:to_server,established; content:"CONNECT "; depth:8;
nocase; classtype:bad-unknown; sid:2001675; rev:1;)

Just replace 'CONNECT' with 'OPTIONS' and assign it a new sid (or remove the
sid if you don't use them in reporting), copy it into your local.rules,
restart Snort and you should be all set.

PaulM


-----Original Message-----
Subject: [Snort-users] Snorting OPTIONS method

Hello Snortsters,

I have been seeing a few OPTIONS method to HTTPD and was wondering if there
is a rule I could use to grab these packets. The reason is because Apache
has been giving these requests a code 200 and I want to know what if
anything is being returned. These are the most recent:

My main concern is with the four requests on May 09 which managed to spoof
my own IP address. I used telnet to see how Apache would respond locally and
was given a code 400. Snort doesn't log any of these.



-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393&alloc_id=16281&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users