[Snort-users] Whisker Head?

Thomas Whipp tkw at ...1885...
Fri Jun 22 05:23:00 EDT 2001


I used to see a LOT of these from proxy servers at a certain
well known UK ISP (I belive they where NetApp's) - as far as
I can tell these servers sometimes (always?) use a head to
check the last modified date of content before serving it to
a user.

	Tom

> -----Original Message-----
> From: Sheahan, Paul (PCLN-NW)
[mailto:Paul.Sheahan at ...2218...]
> Sent: 22 June 2001 07:22
> To: 'Snort-users at lists.sourceforge.net'
> Subject: [Snort-users] Whisker Head?
> 
> 
> I see quite a few "WEB-MISC Whisker HEAD" alerts on a
daily 
> basis in my
> Snort alert log. I read into it and apparently the whisker
scanner can
> request web pages using HEAD instead of GET. 
> 
> When I look at the traces of machines that attempted to
pull 
> some pages
> using HEAD, the pages look like a standard web page, and 
> nothing looks out
> of the norm other than the word HEAD (instead of GET). My 
> question is, is
> HEAD ever used during normal activity, or is it definitely
a sign of
> Whisker? Because the URL being retrieved looks normal, I
was 
> thinking maybe
> could have been valid traffic? Or does whisker pull valid 
> pages so all looks
> normal, meanwhile it is gathering other vulnerability
related info?
> 
> Thanks
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list