Snort Web Application Attack on WordPress from Cloudflare Alert

Abstract3000 · Sep 25, 2019, 12:38 AM

Greetings, I am new to Snort, and currently just watching Alerts Daily to try and suppress non threats before actually enabling the blocking feature. I ran into this particular threat today and not sure what to make of it, or how to go about it:

1 TCP Web Application Attack 172.68.230.117 18996 XX.XXX.XX.X
80 1:41421 SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt

Just the sound of it simply quite terocious! The Source IP is from Cloudflare, who just happens to be my CDN for a Wordpress page hosted on my home server. I guess I am wondering not only does someone know exactly what this alert is? though most importantly if I "Block" this rule, and "Cloudflare" is blocked, I am worried people will not have the ability to access my site until the block is released, as all traffic is directed through cloudflare. Any suggestions as to how I should proceed?

Thanks!

bmeeks · Sep 25, 2019, 2:14 AM

@Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:

WordPress wp-config.php access via directory traversal attempt

I did a Google search using the message from the rule. Searched for this term: "WordPress wp-config.php access via directory traversal attempt" and this is a sample of links I found.

I don't know whether your particular version of Wordpress is affected or not. You could track that down by working through the Wordpress support folks.

Anecdotally, I think Wordpress probably runs like a close second to Adobe in terms of having easily exploited software. I've seen quite a number of Wordpress vulnerability reports over the years. Of course to be absolutely fair, you can say the same for a lot of other common software (hello Microsoft!).

And to answer your question about the consequence of a block, yes a block from this rule would prevent your home server from communicating with Cloudfare servers (or specifically whatever device or devices live behind the IP).

Abstract3000 · Sep 25, 2019, 4:08 AM

Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.

Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?

Thanks for your time & consideration.

bmeeks · Sep 28, 2019, 12:34 AM

@Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:

Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.

Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?

Thanks for your time & consideration.

Snort generally can only see the actual IP addresses in the packet's IP header. There are options for the HTTP_INSPECT preprocessor for handling xff (X-Forwarded-For) headers, but those are primarily for logging options. You can create a customized HTTP engine on the PREPROCESSORS tab of Snort with unique settings for certain parameters including the xff options. You should first create a firewall alias containing the HTTP server you are protecting, then use that alias when defining the custom HTTP_INSPECT engine.