Snort Web Application Attack on WordPress from Cloudflare Alert



  • Greetings, I am new to Snort, and currently just watching Alerts Daily to try and suppress non threats before actually enabling the blocking feature. I ran into this particular threat today and not sure what to make of it, or how to go about it:

    1 TCP Web Application Attack 172.68.230.117 18996 XX.XXX.XX.X
    80 1:41421 SERVER-WEBAPP WordPress wp-config.php access via directory traversal attempt

    Just the sound of it simply quite terocious! The Source IP is from Cloudflare, who just happens to be my CDN for a Wordpress page hosted on my home server. I guess I am wondering not only does someone know exactly what this alert is? though most importantly if I "Block" this rule, and "Cloudflare" is blocked, I am worried people will not have the ability to access my site until the block is released, as all traffic is directed through cloudflare. Any suggestions as to how I should proceed?

    Thanks!



  • @Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:

    WordPress wp-config.php access via directory traversal attempt

    I did a Google search using the message from the rule. Searched for this term: "WordPress wp-config.php access via directory traversal attempt" and this is a sample of links I found.

    1. https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=30890

    2. https://www.bitrepository.com/prevent-directory-traversal-attacks-in-php-wordpress.html

    3. https://www.exploit-db.com/exploits/40288

    4. https://neonprimetime.blogspot.com/2016/08/wordpress-file-path-traversal-examples.html

    I don't know whether your particular version of Wordpress is affected or not. You could track that down by working through the Wordpress support folks.

    Anecdotally, I think Wordpress probably runs like a close second to Adobe in terms of having easily exploited software. I've seen quite a number of Wordpress vulnerability reports over the years. Of course to be absolutely fair, you can say the same for a lot of other common software (hello Microsoft!).

    And to answer your question about the consequence of a block, yes a block from this rule would prevent your home server from communicating with Cloudfare servers (or specifically whatever device or devices live behind the IP).



  • Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.

    Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?

    Thanks for your time & consideration.



  • @Abstract3000 said in Snort Web Application Attack on WordPress from Cloudflare Alert:

    Thanks for the Heads up, I did look into the vulnerability prior to posting and I saw it effects versions 4.9... which I am at the latest version 5.2 thanks to (Auto Update) set on.

    Though I'm wondering if this was a deliberate attack attempt, or a false positive, and can Snort not see beyond Cloudflare to the IP address (Spoofed or Not) forwarded over from cloudflare?

    Thanks for your time & consideration.

    Snort generally can only see the actual IP addresses in the packet's IP header. There are options for the HTTP_INSPECT preprocessor for handling xff (X-Forwarded-For) headers, but those are primarily for logging options. You can create a customized HTTP engine on the PREPROCESSORS tab of Snort with unique settings for certain parameters including the xff options. You should first create a firewall alias containing the HTTP server you are protecting, then use that alias when defining the custom HTTP_INSPECT engine.


Log in to reply