[Snort-users] UNKNOWN METHOD

waldo kitty wkitty42 at ...14940...
Thu Nov 7 13:50:17 EST 2013


On 11/7/2013 12:44 PM, Jorge G. Perez wrote:

> preprocessor http_inspect_server: server default \
>
>       http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK \
>                      UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK \
>                      UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT \
>                      SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH \
>                      BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS \
>                      BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA
> RPC_ECHO_DATA } \

some googling finds a message from Matt Watchinski on 11 DEC 2012 that says that 
any http methods not in the list will cause an alert... this says that you are 
getting http requests for something else than the above as the method... you 
need to find the snort.log.xxxxxxxxxx file with this pcap part and inspect it to 
see what method is being used in the request... wireshark or some other pcap 
tool should come in handy to show you the details of the request...

here's the link to the post i found... matt's post is the 4th one...
https://groups.google.com/forum/#!topic/mailing.unix.snort/Yzdp8-ggDBw

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list