[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: Use of HEAD in web server scan
From:       "Mike Lewinski" <mike () rockynet ! com>
Date:       2001-10-29 2:08:24
[Download RAW message or body]

> I went back to the snort logs and had a look at the packet dumps and
> found that they were all HEAD requests which appear not to be logged by
> IIS.

whisker uses HEAD requests by default.

IIS will log HEAD requests, but may require some reconfiguration of logging
parameters. I.E. I just checked and this was logged on an IIS 4 server:

13:31:51 195.92.95.69 W3SVC30 HEAD /index.htm - 200 284 153 80 Mozilla/4.0+
(compatible;+Netcraft+Web+Server+Survey) http://www.netcraft.com/survey/

I've selected "W3C Extended Log File Format" in the MMC. Also under
"Properties" I have checked "Method" (plus everything else of interest).

If you find that these settings are present on your system, perhaps the logs
were cleaned.

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]