Home page logo
/

snort logo Snort mailing list archives

Re: http_inspect: UNKNOWN METHOD
From: Greg Williams <gwillia5 () uccs edu>
Date: Tue, 11 Dec 2012 18:48:44 +0000

I sampled a few, it's any one of them actually.  HEAD, POST, GET, etc.  http_inspect not working correctly?  

-----Original Message-----
From: Matt Watchinski [mailto:mwatchinski () sourcefire com] 
Sent: Tuesday, December 11, 2012 11:41 AM
To: Greg Williams
Cc: Jeremy Hoel; snort-users () lists sourceforge net
Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD

What method does it think is unknown?

These are the default methods in the 294 conf

GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE 
TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST 
CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA

If its not in that list, then it would alert.

Cheers,
-matt

On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 () uccs edu> wrote:
Thanks for the confirmation.  I've been running this for 2 years with only minor tweaks to the rulesets and this is 
the first time I've seen this.  It has hits on 4075 internal addresses.


-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com]
Sent: Tuesday, December 11, 2012 11:27 AM
To: Greg Williams
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD

We gotten a lot of alerts for that before.. and we actually have that in our disabled.conf file.

We got back and look at them semi often to see if we can work out the deal, but for now we have this disabled.

On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 () uccs edu> wrote:
I updated the rules (free VRT) last Friday and didn't look at the 
alerts until today.  I've received 158,000 alerts for http_inspect: UNKNOWN METHOD.
SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid:
119;
rev: 1; metadata: rule-type preproc ; classtype:unknown; )



I don't see a reason for this, and I can put a threshold on this 
rule, but is anyone else seeing the same kind of alerts within the past few days?






---------------------------------------------------------------------
-
-------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. 
Free Trial Remotely access PCs and mobile devices and provide instant 
support Improve your efficiency, and focus on delivering more 
value-add services Discover what IT Professionals Know. Rescue 
delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!

----------------------------------------------------------------------
-------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free 
Trial Remotely access PCs and mobile devices and provide instant 
support Improve your efficiency, and focus on delivering more 
value-add services Discover what IT Professionals Know. Rescue 
delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]