Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP server-info access

Rule Explanation

This event is generated when an attempt is made to access server-info. Using the Apache webserver, this url is generally handled by the mod_info module, which will happily disclose valuable information about your webserver which may aid in their attack. Impact: Information disclosure. Details: The mod_info module "provides a comprehensive overview of the server configuration including all installed modules and directives in the configuration files" for the Apache webserver. Successfully accessing the url that is handle by mod_info may give an attacker valuable information about the server. If mod_info is in use and the attacking host is allowed to access it, every possible configuration option that the Apache server is using can be viewed. This includes ACLs, modules, file and directory names, and other valuable information that will help an attacker determine ways of attacking the server. Ease of Attack: Simple. No exploit software is required.

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

Few, but certainly possible. Since this rule only checks for the existence of "/server-info" in the url, any url containing that string will trigger this rule. A few common false positives may include urls like: http://victim/server-info/contact.html http://victim/really/long/directory/server-info.html

Contributors

Snort documentation contributed by Jon Hart Cisco Talos Brian Caswell Nigel Houghton

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

CVE Additional Information