SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP server-info access
This event is generated when an attempt is made to access server-info. Using the Apache webserver, this url is generally handled by the mod_info module, which will happily disclose valuable information about your webserver which may aid in their attack. Impact: Information disclosure. Details: The mod_info module "provides a comprehensive overview of the server configuration including all installed modules and directives in the configuration files" for the Apache webserver. Successfully accessing the url that is handle by mod_info may give an attacker valuable information about the server. If mod_info is in use and the attacking host is allowed to access it, every possible configuration option that the Apache server is using can be viewed. This includes ACLs, modules, file and directory names, and other valuable information that will help an attacker determine ways of attacking the server. Ease of Attack: Simple. No exploit software is required.
This rule is triggered from accessing the server-info endpoint.
No public information
Known false positives, with the described conditions
Few, but certainly possible. Since this rule only checks for the existence of "/server-info" in the url, any url containing that string will trigger this rule. A few common false positives may include urls like: http://victim/server-info/contact.html http://victim/really/long/directory/server-info.html
Snort documentation contributed by Jon Hart Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None