$ Linux One Liners
Back to lessons

Cybersecurity Triage

Spot Unusual HTTP Methods in Access Logs

You need to identify requests using HTTP methods outside the small set your site normally expects.

Command

awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr

What changed

Nothing changes. The command filters and counts unusual request methods.

Danger

safe

When to use it

Use this during defensive triage to find traffic that does not match expected browser or API behavior.

When not to use it

Do not label every uncommon method as hostile; APIs, monitors, and load balancers can produce legitimate exceptions.

Undo or recovery

No undo needed because the command is read-only.

Expected output

Counts with source IP, method, path, and response status for unusual methods.

demo script

Disposable terminal steps

  1. awk '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
  2. awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
  3. awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print}' ./fixtures/nginx/access.log
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ awk '{print $6}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
     22 "GET
      1 "PUT
      1 "POST
      1 "DELETE
::exit-code::0
$ awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print $1, $6, $7, $9}' ./fixtures/nginx/access.log | sort | uniq -c | sort -nr
      1 203.0.113.46 "PUT /api/profile 405
      1 203.0.113.46 "DELETE /api/profile 405
::exit-code::0
$ awk '$6 !~ /^"(GET|POST|HEAD|OPTIONS)$/ {print}' ./fixtures/nginx/access.log
203.0.113.46 - - [25/Jun/2026:10:02:01 +0000] "PUT /api/profile HTTP/1.1" 405 90 "-" "curl/8"
203.0.113.46 - - [25/Jun/2026:10:02:03 +0000] "DELETE /api/profile HTTP/1.1" 405 90 "-" "curl/8"
::exit-code::0

YouTube Short

Look for weird HTTP methods.

Most access logs are GET, POST, HEAD, and OPTIONS. When something else appears, pull it into a short list and review it defensively.

LinkedIn hook

Most site traffic is boring. The weird methods are worth a look.

Question: Do you baseline expected HTTP methods for your public sites?

experiments

A/B tests to run

Metric: short_click_through_rate

A: The weird method is the line to review.

B: Most web traffic should be boring.