[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: Re: Use of HEAD in web server scan
From: "Mike Lewinski" <mike () rockynet ! com>
Date: 2001-10-29 2:08:24
[Download RAW message or body]
> I went back to the snort logs and had a look at the packet dumps and
> found that they were all HEAD requests which appear not to be logged by
> IIS.
whisker uses HEAD requests by default.
IIS will log HEAD requests, but may require some reconfiguration of logging
parameters. I.E. I just checked and this was logged on an IIS 4 server:
13:31:51 195.92.95.69 W3SVC30 HEAD /index.htm - 200 284 153 80 Mozilla/4.0+
(compatible;+Netcraft+Web+Server+Survey) http://www.netcraft.com/survey/
I've selected "W3C Extended Log File Format" in the MMC. Also under
"Properties" I have checked "Method" (plus everything else of interest).
If you find that these settings are present on your system, perhaps the logs
were cleaned.
Mike
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic