Possible Directory Traversal Attempt
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Directory traversal is an attempt by an attacker to access files located on the host that are not intended to be returned by the web server. For example, attackers seeking usernames/passwords for the host will focus on paths like ../../etc/passwd, ../../../etc/shadow, etc. When successful, a directory traversal attack results in the attacker gaining access to sensitive information and identifying a mechanism for future attack. When unsuccessful, directory traversal is an indication of ongoing external reconnaissance.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "DETECTION_ACTION_NETWORK_NETWORK_TRAFFIC" AND (URL_ARG contains "/etc/passwd" OR URL_ARG contains "/etc/shadow" OR URL_ARG contains "%2e%2e/" OR URL_ARG contains "../" OR URL_ARG contains "..%2f" OR URL_ARG contains "..%c0%af" OR URL_ARG contains "..%c1%9c" OR URL_ARG contains "..%255c" OR URL_ARG contains "%252e%252e%255c") select Action1.HOSTNAME,Action1.SOURCE_IP,Action1.SOURCE_PORT,Action1.SOURCE_MAC,Action1.SOURCE_INTERFACE,Action1.DEST_NAME,Action1.DESTINATIONHOST,Action1.DEST_IP,Action1.DEST_PORT,Action1.DEST_MAC,Action1.DEST_INTERFACE,Action1.PROTOCOL_APP,Action1.PROTOCOL_TR,Action1.DIRECTION,Action1.DIRECTION_TR,Action1.FW_DIRECTION,Action1.URL_SITE,Action1.URL_ARG,Action1.APPLICATION,Action1.MESSAGE
Detection
Execution Mode
realtime
Log Sources
Network
