Re: Use of HEAD in web server scan

From: Mike Lewinski (mikeat_private)
Date: Sun Oct 28 2001 - 18:08:24 PST

  • Next message: Johannes Verelst: "Simultanious ping from lots of different hosts."

    > I went back to the snort logs and had a look at the packet dumps and
    > found that they were all HEAD requests which appear not to be logged by
    > IIS.
    
    whisker uses HEAD requests by default.
    
    IIS will log HEAD requests, but may require some reconfiguration of logging
    parameters. I.E. I just checked and this was logged on an IIS 4 server:
    
    13:31:51 195.92.95.69 W3SVC30 HEAD /index.htm - 200 284 153 80 Mozilla/4.0+
    (compatible;+Netcraft+Web+Server+Survey) http://www.netcraft.com/survey/
    
    I've selected "W3C Extended Log File Format" in the MMC. Also under
    "Properties" I have checked "Method" (plus everything else of interest).
    
    If you find that these settings are present on your system, perhaps the logs
    were cleaned.
    
    Mike
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Oct 28 2001 - 18:37:56 PST