Re: Use of HEAD in web server scan

From: Mike Lewinski (mikeat_private)
Date: Sun Oct 28 2001 - 18:08:24 PST

  • Next message: Johannes Verelst: "Simultanious ping from lots of different hosts."

    > I went back to the snort logs and had a look at the packet dumps and
    > found that they were all HEAD requests which appear not to be logged by
    > IIS.
    whisker uses HEAD requests by default.
    IIS will log HEAD requests, but may require some reconfiguration of logging
    parameters. I.E. I just checked and this was logged on an IIS 4 server:
    13:31:51 W3SVC30 HEAD /index.htm - 200 284 153 80 Mozilla/4.0+
    I've selected "W3C Extended Log File Format" in the MMC. Also under
    "Properties" I have checked "Method" (plus everything else of interest).
    If you find that these settings are present on your system, perhaps the logs
    were cleaned.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Sun Oct 28 2001 - 18:37:56 PST