[Snort-users] http_inspect: UNKNOWN METHOD

Jeremy Hoel jthoel at ...11827...
Tue Dec 11 13:26:46 EST 2012


We gotten a lot of alerts for that before.. and we actually have that
in our disabled.conf file.

We got back and look at them semi often to see if we can work out the
deal, but for now we have this disabled.

On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> I updated the rules (free VRT) last Friday and didn’t look at the alerts
> until today.  I’ve received 158,000 alerts for http_inspect: UNKNOWN METHOD.
> SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid: 119;
> rev: 1; metadata: rule-type preproc ; classtype:unknown; )
>
>
>
> I don’t see a reason for this, and I can put a threshold on this rule, but
> is anyone else seeing the same kind of alerts within the past few days?
>
>
>
> Greg Williams
> IT Security Principal
> University of Colorado at Colorado Springs
> Phone: 719-255-3211
> Website: http://www.uccs.edu/itsecure
> greg.williams at ...15920...
>
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list