Access log meaning

I have been getting this line in my access log today and not sure what the
command is that triggers this entry. I am running Apache2

220.160.181.39 - - [02/Dec/2004:06:19:28 -0600] "OPTIONS / HTTP/1.1" 200 -

DanB

On Thu, 2 Dec 2004 16:33:05 -0600, "DanB" <nospam@hotmail.com>
wrote:

>I have been getting this line in my access log today and not sure what the
>command is that triggers this entry. I am running Apache2
>
>220.160.181.39 - - [02/Dec/2004:06:19:28 -0600] "OPTIONS / HTTP/1.1" 200 -

It means that someone did an OPTIONS request to your server,
using the HTTP version 1.1 protocol and your server replied
"OK".
By the way, IP address 220.160.181.39 seems to live in China.

You can read what the OPTIONS method is supposed to return in
http://www.ietf.org/rfc/rfc2616.txt?number=2616

(page 51)

In short (citation from RFC 1616):
The OPTIONS method represents a request for information about
the communication options available on the request/response
chain identified by the Request-URI. This method allows the
client to determine the options and/or requirements associated
with a resource, or the capabilities of a server, without
implying a resource action or initiating a resource retrieval.

>DanB

Good luck,

--
) Kees Nuyt
(
c[_]

Yea, I did the trace back to China too. The information in the manual was a
little ambiguous (at least to me). It stated that if there was no additional
information after the "200 -", then it returned 0 bytes. So I was not sure
if that meant the browser just stopped with the original view, or it got a
canned response that is not logged. Also, I was unable to find any
log/indications of what options they were trying to query, is there a way to
find out?

Thanks for the reply, much appreciated.

Dan

"Kees Nuyt" <k.nuyt@nospam.demon.nl> wrote in message
news:tgc1r0dsvj1jldc7bnl7pkis8agh6kbj9t@4ax.com...
> On Thu, 2 Dec 2004 16:33:05 -0600, "DanB" <nospam@hotmail.com>
> wrote:
>
>>I have been getting this line in my access log today and not sure what the
>>command is that triggers this entry. I am running Apache2
>>
>>220.160.181.39 - - [02/Dec/2004:06:19:28 -0600] "OPTIONS / HTTP/1.1" 200 -
>
> It means that someone did an OPTIONS request to your server,
> using the HTTP version 1.1 protocol and your server replied
> "OK".
> By the way, IP address 220.160.181.39 seems to live in China.
>
> You can read what the OPTIONS method is supposed to return in
> http://www.ietf.org/rfc/rfc2616.txt?number=2616
>
> (page 51)
>
> In short (citation from RFC 1616):
> The OPTIONS method represents a request for information about
> the communication options available on the request/response
> chain identified by the Request-URI. This method allows the
> client to determine the options and/or requirements associated
> with a resource, or the capabilities of a server, without
> implying a resource action or initiating a resource retrieval.
>
>>DanB
>
> Good luck,
>
> --
> ) Kees Nuyt
> (
> c[_]

On Fri, 3 Dec 2004 14:26:42 -0600, "DanB" <nospam@hotmail.com>
wrote:

>Yea, I did the trace back to China too. The information in the manual was a
>little ambiguous (at least to me). It stated that if there was no additional
>information after the "200 -", then it returned 0 bytes.

That could be true. It depends on your log configuration in
httpd.conf what that "-" means. In the CLF (common log format)
it would be defined as %b, which excludes the response headers.
You would need %O to also report headers in the size of the
response.

I use:
#
# %v virtual host
# %h client host
# %l indentd info
# %u http authentication userID
# %t date time
# %r request and protocol
# %>s status returned http rfc 2616 section 10
# %b size of object returned excl. response headers
# %I input size
# %O output size
# %{header}i any HTTP header from list {Referer|User-agent}
# You need to enable mod_logio to use %I and %O
# and mod_vhost_alias for %v

LogFormat "%v %h %u %{%Y%m%d%H%M%S}t \"%r\" %>s %b %I %O
\"%{Referer}i\"" virtualio

CustomLog logs/access.log virtualio

This results in :
my.vhost his.ip.adrs - 20041204181010 "OPTIONS / HTTP/1.1" 200 -
151 260 "-"
, that is to say my server responded with 260 bytes of
information in the response header, and zero in the response
body.

>So I was not sure
>if that meant the browser just stopped with the original view, or it got a
>canned response that is not logged. Also, I was unable to find any
>log/indications of what options they were trying to query, is there a way to
>find out?

They queried the OPTIONS for the resource "/" , the documentroot
of your server. The OPTIONS method only has one parameter.
You really have to read
http://www.ietf.org/rfc/rfc2616.txt?number=2616
to get more information about it. Read the table of contents and
take your pick. I already indicated Page 51 would be interesting
for you. It really makes no sense to copy all its 176 pages
here.

I wouldn't worry about any OPTIONS request, there is nothing
threatening about it and it will not harm your Apache2 server.
In fact, depending on your httpd.conf, the 'attacker' could see
you were running Apache and stopped trying to hack it
immediately ;-)

>Thanks for the reply, much appreciated.

You're welcome. As a "thank you" you could refrain from
top-posting next time. See :
http://www.ietf.org/rfc/rfc1855.txt?number=1855
(Page 7: - If you are sending a reply to a message or a posting
be sure you summarize the original at the top of the message, or
include just enough text of the original to give a context.)

>Dan

--
) Kees Nuyt
(
c[_]