[Snort-users] http_inspect: UNKNOWN METHOD

Nick Randolph drandolph at ...1935...
Thu Dec 13 11:30:33 EST 2012


Do you have a pcap you can share?


On Tue, Dec 11, 2012 at 1:48 PM, Greg Williams <gwillia5 at ...15920...> wrote:

> I sampled a few, it's any one of them actually.  HEAD, POST, GET, etc.
>  http_inspect not working correctly?
>
> -----Original Message-----
> From: Matt Watchinski [mailto:mwatchinski at ...1935...]
> Sent: Tuesday, December 11, 2012 11:41 AM
> To: Greg Williams
> Cc: Jeremy Hoel; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
>
> What method does it think is unknown?
>
> These are the default methods in the 294 conf
>
> GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE
> BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE
> UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT
> PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA
> RPC_ECHO_DATA
>
> If its not in that list, then it would alert.
>
> Cheers,
> -matt
>
> On Tue, Dec 11, 2012 at 1:37 PM, Greg Williams <gwillia5 at ...15920...> wrote:
> > Thanks for the confirmation.  I've been running this for 2 years with
> only minor tweaks to the rulesets and this is the first time I've seen
> this.  It has hits on 4075 internal addresses.
> >
> >
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel at ...11827...]
> > Sent: Tuesday, December 11, 2012 11:27 AM
> > To: Greg Williams
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] http_inspect: UNKNOWN METHOD
> >
> > We gotten a lot of alerts for that before.. and we actually have that in
> our disabled.conf file.
> >
> > We got back and look at them semi often to see if we can work out the
> deal, but for now we have this disabled.
> >
> > On Tue, Dec 11, 2012 at 6:16 PM, Greg Williams <gwillia5 at ...15920...>
> wrote:
> >> I updated the rules (free VRT) last Friday and didn't look at the
> >> alerts until today.  I've received 158,000 alerts for http_inspect:
> UNKNOWN METHOD.
> >> SID is 119-31. alert ( msg: "HI_CLIENT_UNKNOWN_METHOD"; sid: 31; gid:
> >> 119;
> >> rev: 1; metadata: rule-type preproc ; classtype:unknown; )
> >>
> >>
> >>
> >> I don't see a reason for this, and I can put a threshold on this
> >> rule, but is anyone else seeing the same kind of alerts within the past
> few days?
> >>
> >>
> >>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
> >> Free Trial Remotely access PCs and mobile devices and provide instant
> >> support Improve your efficiency, and focus on delivering more
> >> value-add services Discover what IT Professionals Know. Rescue
> >> delivers http://p.sf.net/sfu/logmein_12329d2d
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >
> > ----------------------------------------------------------------------
> > -------- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
> > Trial Remotely access PCs and mobile devices and provide instant
> > support Improve your efficiency, and focus on delivering more
> > value-add services Discover what IT Professionals Know. Rescue
> > delivers http://p.sf.net/sfu/logmein_12329d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> --
> Matthew Watchinski
> V.P. Vulnerability Research (VRT)
> Sourcefire, Inc.
> Office: 410-423-1928
> http://vrt-blog.snort.org && http://www.snort.org/vrt/
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...1935...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121213/301d8792/attachment.html>


More information about the Snort-users mailing list