Monday, October 15, 2012

Other http request methods

Everybody is  aware of  the HTTP requests for  GET , HEAD and POST, but how about the others?

Did you  even knew they existed?  Be aware of these and the purpose of the  http request methods and these can be overlooked when a webserver is under going a DoS attack.

Using the "tshark -z http,stat,"  will give you a good ideal of the number requests and the type of requests,  if you apply this to a dst net or host  address and analysis the output, you can quickly get an ideal of the number of  GET or POST that might be indicative of a GET/POST flood type of attack.

tshark -n -q -z http,stat, -i eth7 host www.mywebserver and port 80
( sample output )

 ===================================================================
HTTP Statistics
* HTTP Status Codes in reply packets
    HTTP 302 Moved Temporarily
    HTTP 200 OK
* List of HTTP Request methods
         GET  48
===================================================================



Typical  HTTP request methods are listed below;


GET:- Used when the client is requesting a resource on the Web server.

HEAD:- Used when the client is requesting some information about a resource but not requesting the resource itself.

POST:- Used when the client is sending information or data to the server---for example, filling out an online form (i.e. Sends a large amount of complex data to the Web Server).

PUT:- Used when the client is sending a replacement document or uploading a new document to the Web server under the request URL.

DELETE:- Used when the client is trying to delete a document from the Web server, identified by the request URL.

TRACE:- Used when the client is asking the available proxies or intermediate servers changing the request to announce themselves.

OPTIONS:- Used when the client wants to determine other available methods to retrieve or process a document on the Web server.

CONNECT:- Used when the client wants to establish a transparent connection to a remote host, usually to facilitate SSL-encrypted communication (HTTPS) through an HTTP proxy.

No two methods are the same, use  tshark or wireshark and the  display filter  "http.request.method"   for proper identification

e.g
tshark -n -i eth7 dst host 1.1.1.1 and dst port 80  -R 'http.request.method==POST'

The above would be ideal to get the number of POST and from a specific host destination to a webserver. These commands will only be helpful against  HTTP server for the obvious reason.


This blog is from

Ken Felix
Freelance Security and Network Engineer
Cisco Certified

kfelix  "at"  hyperfeed.com


No comments:

Post a Comment