[Snort-sigs] SID 1852 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 11:24:10 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
robots.txt access"; flow:to_server,established; 
uricontent:"/robots.txt"; nocase; reference:nessus,10302; 
classtype:web-application-activity; sid:1852; rev:3;)
--
Sid:
1852
--
Summary:
A client is requesting the file “robots.txt” from your web server.
--
Impact:
This file may contain data that could provide an attacker with
information that could assist in an attack on your server.
--
Detailed Information:
In the early days of the web, when search engines first began indexing
sites, it was often desirable to tell the indexing programs – referred
to as robots – not to index certain parts of a site. A standarized
method of accomplishing this was created; by placing a file called
“robot.txt” or “robots.txt” in the root of your web site which search
engines could read and which would tell them what parts of your site you
did not want indexed. However, this file can also be very valuable to
potential attackers if it contains information such as restricted
directories, cgi-bin locations, etc.
--
Affected Systems:
Any web site that uses this method to communicate with robots.
--
Attack Scenarios:
An attacker can read your “robots.txt” file and use any sensitive data 
in it to profile your site in preparation of an attack.
--
Ease of Attack:
Very easy. Any browser can request a copy of “robots.txt” from your server.
--
False Positives:
Many. Most automated search engine indexing programs still request this
file prior to crawling through a web site.
--
False Negatives:
None known.
--
Corrective Action:
Ensure that your “robots.txt” file, if you need one, does not contain 
any sensitive data.
--
Contributors:
Kevin Peuhkurinen
-- 
Additional References:







More information about the Snort-sigs mailing list