[Snort-users] Whisker Head?
tkw at ...1885...
Fri Jun 22 05:23:00 EDT 2001
I used to see a LOT of these from proxy servers at a certain
well known UK ISP (I belive they where NetApp's) - as far as
I can tell these servers sometimes (always?) use a head to
check the last modified date of content before serving it to
> -----Original Message-----
> From: Sheahan, Paul (PCLN-NW)
[mailto:Paul.Sheahan at ...2218...]
> Sent: 22 June 2001 07:22
> To: 'Snort-users at lists.sourceforge.net'
> Subject: [Snort-users] Whisker Head?
> I see quite a few "WEB-MISC Whisker HEAD" alerts on a
> basis in my
> Snort alert log. I read into it and apparently the whisker
> request web pages using HEAD instead of GET.
> When I look at the traces of machines that attempted to
> some pages
> using HEAD, the pages look like a standard web page, and
> nothing looks out
> of the norm other than the word HEAD (instead of GET). My
> question is, is
> HEAD ever used during normal activity, or is it definitely
a sign of
> Whisker? Because the URL being retrieved looks normal, I
> thinking maybe
> could have been valid traffic? Or does whisker pull valid
> pages so all looks
> normal, meanwhile it is gathering other vulnerability
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users