Re: http_inspect: UNKNOWN METHOD

[Nick Randolph <drandolph () sourcefire com>]

Do you have a pcap you can share?


On Tue, Dec 11, 2012 at 1:48 PM, Greg Williams <gwillia5 () uccs edu> wrote:

> I sampled a few, it's any one of them actually.  HEAD, POST, GET, etc.
>  http_inspect not working correctly?
>
> -----Original Message-----
> From: Matt Watchinski [mailto:mwatchinski () sourcefire com]
> Sent: Tuesday, December 11, 2012 11:41 AM
> To: Greg Williams
> Cc: Jeremy Hoel; snort-users () lists sourceforge net
> Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
>
> What method does it think is unknown?
>
> These are the default methods in the 294 conf
>
> GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE
> BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE
> UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
> PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA
> RPC_ECHO_DATA
>
> If its not in that list, then it would alert.
>
> Cheers,
> -matt
>
> On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 () uccs edu> wrote:
> > Thanks for the confirmation.  I've been running this for 2 years with
> only minor tweaks to the rulesets and this is the first time I've seen
> this.  It has hits on 4075 internal addresses.
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel () gmail com]
> > Sent: Tuesday, December 11, 2012 11:27 AM
> > To: Greg Williams
> > Cc: snort-users () lists sourceforge net
> > Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
> >
> > We gotten a lot of alerts for that before.. and we actually have that in
> our disabled.conf file.
> > We got back and look at them semi often to see if we can work out the
> deal, but for now we have this disabled.
> > On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 () uccs edu>
> wrote:
> > > I updated the rules (free VRT) last Friday and didn't look at the
> > > alerts until today.  I've received 158,000 alerts for http_inspect:
> UNKNOWN METHOD.
> > > SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid:
> > > 119;
> > > rev: 1; metadata: rule-type preproc ; classtype:unknown; )
> > >
> > >
> > >
> > > I don't see a reason for this, and I can put a threshold on this
> > > rule, but is anyone else seeing the same kind of alerts within the past
> few days?
> > > ---------------------------------------------------------------------
> > > -
> > > -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
> > > Free Trial Remotely access PCs and mobile devices and provide instant
> > > support Improve your efficiency, and focus on delivering more
> > > value-add services Discover what IT Professionals Know. Rescue
> > > delivers http://p.sf.net/sfu/logmein_12329d2d
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
> >
> > ----------------------------------------------------------------------
> > -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
> > Trial Remotely access PCs and mobile devices and provide instant
> > support Improve your efficiency, and focus on delivering more
> > value-add services Discover what IT Professionals Know. Rescue
> > delivers http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> --
> Matthew Watchinski
> V.P. Vulnerability Research (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!