[Snort-sigs] SID 1852 documentation
kevin.peuhkurinen at ...1555...
Mon Jun 9 11:24:10 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
robots.txt access"; flow:to_server,established;
uricontent:"/robots.txt"; nocase; reference:nessus,10302;
classtype:web-application-activity; sid:1852; rev:3;)
A client is requesting the file “robots.txt” from your web server.
This file may contain data that could provide an attacker with
information that could assist in an attack on your server.
In the early days of the web, when search engines first began indexing
sites, it was often desirable to tell the indexing programs – referred
to as robots – not to index certain parts of a site. A standarized
method of accomplishing this was created; by placing a file called
“robot.txt” or “robots.txt” in the root of your web site which search
engines could read and which would tell them what parts of your site you
did not want indexed. However, this file can also be very valuable to
potential attackers if it contains information such as restricted
directories, cgi-bin locations, etc.
Any web site that uses this method to communicate with robots.
An attacker can read your “robots.txt” file and use any sensitive data
in it to profile your site in preparation of an attack.
Ease of Attack:
Very easy. Any browser can request a copy of “robots.txt” from your server.
Many. Most automated search engine indexing programs still request this
file prior to crawling through a web site.
Ensure that your “robots.txt” file, if you need one, does not contain
any sensitive data.
More information about the Snort-sigs