SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP server-info access
This event is generated when an attempt is made to access server-info. Using the Apache webserver, this url is generally handled by the mod_info module, which will happily disclose valuable information about your webserver which may aid in their attack.
The mod_info module "provides a comprehensive overview of the server configuration including all installed modules and directives in the configuration files" for the Apache webserver. Successfully accessing the url that is handle by mod_info may give an attacker valuable information about the server.
If mod_info is in use and the attacking host is allowed to access it, every possible configuration option that the Apache server is using can be viewed. This includes ACLs, modules, file and directory names, and other valuable information that will help an attacker determine ways of attacking the server.
Ease of Attack:
Simple. No exploit software is required.
What To Look For
No public information
Known false positives, with the described conditions
Few, but certainly possible. Since this rule only checks for the existence of "/server-info" in the url, any url containing that string will trigger this rule. A few common false positives may include urls like:
Snort documentation contributed by Jon Hart
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information