Snort Web Application Attack on WordPress from Cloudflare Alert
-
Greetings, I am new to Snort, and currently just watching Alerts Daily to try and suppress non threats before actually enabling the blocking feature. I ran into this particular threat today and not sure what to make of it, or how to go about it:
1 TCP Web Application Attack 172.68.230.117 18996 XX.XXX.XX.X
80 1:41421 SERVER-WEBAPP WordPress wp-config.php access via directory traversal attemptJust the sound of it simply quite terocious! The Source IP is from Cloudflare, who just happens to be my CDN for a Wordpress page hosted on my home server. I guess I am wondering not only does someone know exactly what this alert is? though most importantly if I "Block" this rule, and "Cloudflare" is blocked, I am worried people will not have the ability to access my site until the block is released, as all traffic is directed through cloudflare. Any suggestions as to how I should proceed?
Thanks!
-
@Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:
WordPress wp-config.php access via directory traversal attempt
I did a Google search using the message from the rule. Searched for this term: "WordPress wp-config.php access via directory traversal attempt" and this is a sample of links I found.
-
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30890
-
https://www.bitrepository.com/prevent-directory-traversal-attacks-in-php-wordpress.html
-
https://neonprimetime.blogspot.com/2016/08/wordpress-file-path-traversal-examples.html
I don't know whether your particular version of Wordpress is affected or not. You could track that down by working through the Wordpress support folks.
Anecdotally, I think Wordpress probably runs like a close second to Adobe in terms of having easily exploited software. I've seen quite a number of Wordpress vulnerability reports over the years. Of course to be absolutely fair, you can say the same for a lot of other common software (hello Microsoft!).
And to answer your question about the consequence of a block, yes a block from this rule would prevent your home server from communicating with Cloudfare servers (or specifically whatever device or devices live behind the IP).
-
-
Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.
Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?
Thanks for your time & consideration.
-
@Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:
Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.
Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?
Thanks for your time & consideration.
Snort generally can only see the actual IP addresses in the packet's IP header. There are options for the HTTP_INSPECT preprocessor for handling xff (X-Forwarded-For) headers, but those are primarily for logging options. You can create a customized HTTP engine on the PREPROCESSORS tab of Snort with unique settings for certain parameters including the xff options. You should first create a firewall alias containing the HTTP server you are protecting, then use that alias when defining the custom HTTP_INSPECT engine.