[Snort-users] Lots of previously unseen WebDAV alerts?

James Garrison jhg at ...4209...
Tue Mar 5 08:23:02 EST 2002

Hash: SHA1

Starting last Thursday 28 Feb, we began seeing many instances
of the following alerts:

WEB-IIS webdav file lock attempt
WEB-IIS view source via translate header

The first refers to a WebDAV "LOCK" request, and the second
looks for "Translate: f".

Our public web server does allow WebDAV requests, but only on
port 443 with authentication, and only to authorized users.
The server has been running in its present configuration for
about a year (i.e. we didn't just enable WebDAV), and there
were no configuration changes on February 28th.
All these alerts are occurring on port 80.  There does not
appear to be a pattern to the originating IPs... they're
all over the world.  We've been running snort for the past
4 months, and 2/28/2002 is the first time either of these
alerts occurred.  Since then we've seen 162 file lock
attempts and 364 "translate header".  We have not changed
the snort ruleset in the last 30 days.

Comments?  Insights?

- --
James Garrison                                Athens Group, Inc.
mailto:jhg at ...4209...                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150

Version: PGP 7.0.4


More information about the Snort-users mailing list