[Snort-users] http_inspect: UNKNOWN METHOD

Matt Watchinski mwatchinski at ...1935...
Tue Dec 11 13:40:44 EST 2012


What method does it think is unknown?

These are the default methods in the 294 conf

GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY
BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT
SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH
RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA
RPC_OUT_DATA RPC_ECHO_DATA

If its not in that list, then it would alert.

Cheers,
-matt

On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> Thanks for the confirmation.  I've been running this for 2 years with only minor tweaks to the rulesets and this is the first time I've seen this.  It has hits on 4075 internal addresses.
>
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel at ...11827...]
> Sent: Tuesday, December 11, 2012 11:27 AM
> To: Greg Williams
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
>
> We gotten a lot of alerts for that before.. and we actually have that in our disabled.conf file.
>
> We got back and look at them semi often to see if we can work out the deal, but for now we have this disabled.
>
> On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 at ...15920...> wrote:
>> I updated the rules (free VRT) last Friday and didn't look at the
>> alerts until today.  I've received 158,000 alerts for http_inspect: UNKNOWN METHOD.
>> SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid:
>> 119;
>> rev: 1; metadata: rule-type preproc ; classtype:unknown; )
>>
>>
>>
>> I don't see a reason for this, and I can put a threshold on this rule,
>> but is anyone else seeing the same kind of alerts within the past few days?
>>
>>
>>
>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
>> Trial Remotely access PCs and mobile devices and provide instant
>> support Improve your efficiency, and focus on delivering more
>> value-add services Discover what IT Professionals Know. Rescue
>> delivers http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
Matthew Watchinski
V.P. Vulnerability Research (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-blog.snort.org && http://www.snort.org/vrt/




More information about the Snort-users mailing list