[Snort-users] Whisker Head?

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Fri Jun 22 02:21:48 EDT 2001

I see quite a few "WEB-MISC Whisker HEAD" alerts on a daily basis in my
Snort alert log. I read into it and apparently the whisker scanner can
request web pages using HEAD instead of GET. 

When I look at the traces of machines that attempted to pull some pages
using HEAD, the pages look like a standard web page, and nothing looks out
of the norm other than the word HEAD (instead of GET). My question is, is
HEAD ever used during normal activity, or is it definitely a sign of
Whisker? Because the URL being retrieved looks normal, I was thinking maybe
could have been valid traffic? Or does whisker pull valid pages so all looks
normal, meanwhile it is gathering other vulnerability related info?


More information about the Snort-users mailing list