[Snort-sigs] SID 1857 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 11:22:10 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; 
nocase; reference:nessus,10302; classtype:web-application-activity; 
sid:1857; rev:3;)
A client is requesting the file “robot.txt” from your web server.
This file may contain data that could provide an attacker with 
information that could assist in an attack on your server.
Detailed Information:
In the early days of the web, when search engines first began indexing 
sites, it was often desirable to tell the indexing programs – referred 
to as robots – not to index certain parts of a site. A standarized 
method of accomplishing this was created; by placing a file called 
“robot.txt” or “robots.txt” in the root of your web site which search 
engines could read and which would tell them what parts of your site you 
did not want indexed. However, this file can also be very valuable to 
potential attackers if it contains information such as restricted 
directories, cgi-bin locations, etc.
Affected Systems:
Any web site that uses this method to communicate with robots.
Attack Scenarios:
An attacker can read your “robot.txt” file and use any sensitive data in 
it to profile your site in preparation of an attack.
Ease of Attack:
Very easy. Any browser can request a copy of “robot.txt” from your server.
False Positives:
Many. Most automated search engine indexing programs still request this 
file prior to crawling through a web site.
False Negatives:
None known.
Corrective Action:
Ensure that your “robot.txt” file, if you need one, does not contain any 
sensitive data.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list