Re: strange HTTP requests
From: Bill Carlson (wcarlson_at_vh.org)
Date: 08/26/03
- Previous message: Bill Carlson: "Re: strange web traffic"
- In reply to: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Next in thread: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Aug 2003 11:05:50 -0500 (CDT) To: bugtraq@cgisecurity.net
On Tue, 26 Aug 2003 bugtraq@cgisecurity.net wrote:
> This is a perfectly valid http request. Opening up a raw connection to "vh.org" I see the following.
>
> Request
> GET / HTTP/1.0
> Host: vh.org
Valid yes. Suspicious, also yes. Any of the many client browsers, indeed
many web spiders will at least send an Agent header. The sparse request
alone does not equal hositile intent, I agree. However, the same user
attempting to visit the URL "http://vh.org/" every five minutes, 24/7? Not
normal behavior.
> I suspect #1 confidently. This would be something in your site configuration and not an attack, at least not with the information
> you provided below. I would read RFC 2616 for more information on HTTP 1.1 and how it works.
I am well aware of HTTP/1.1 and its workings, my configuration is by
design, not accident.
Bill Carlson
-- Systems Administrator wcarlson@vh.org | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
- Previous message: Bill Carlson: "Re: strange web traffic"
- In reply to: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Next in thread: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Reply: bugtraq_at_cgisecurity.net: "Re: strange HTTP requests"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
