Rule:  

--
Sid:
100000315

--
Summary:
This event is generated when an HTTP server issues a successful status
code in response to a request to update a web document via the PUT method.

--
Impact:
The PUT method is a legitimate HTTP command that allows an authorized user
to upload a document into the web content tree. It is most often associated 
with the WebDAV content management protocol.  

Although there are some legitimate uses for the PUT method, it is also a
frequent source of web site defacement, as attackers can easily abuse 
misconfigured web servers that allow unrestricted PUT functionality from 
arbitrary users.

--
Detailed Information:
The rule searches for replies to HTTP PUT requests which indicate success.  
When a successful reply is seen, it implies that the web content area has
been modified, which may be an indicaton that the web site has been 
defaced.

This rule is intended to be used with another SID 100000315, which detects
HTTP PUT requests.

--
Affected Systems:
Any web server

--
Attack Scenarios:
An attacker can issue a PUT reuqest via a script, many different pieces of 
software, or through a manual connection to any web server port.

--
Ease of Attack:
Simple.  Numerous tools exist for creating PUT requests, including some geared
specifically towards web site defacement.  

--
False Positives:
Organizations that use WebDAV to manage their web content may experience
false positives, as the PUT method is a normal part of the WebDAV protocol.
Additionally, any other legitimate web applications which use the PUT method
will generate false positives.

--
False Negatives:
None

--
Corrective Action:
In cases of web site defacement, delete the newly-created file(s) and/or 
restore them from a reliable backup. In all cases, be sure to tune web server
configuration to allow PUT requests only where necessary for a legitimate web
application to function.

--
Contributors:
David J. Bianco, <david@vorant.com>

-- 
Additional References:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
