SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.
SERVER-OTHER Microsoft Frontpage /_vti_bin/ access
This event is generated when an attempt is made to exploit a known vulnerability in a web server running Microsoft FrontPage Server Extensions. Impact: Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. Denial of Service is possible. Details: This event is generated when an attempt is made to compromise a host running Microsoft FrontPage Server Extensions. Many known vulnerabilities exist for this platform and the attack scenarios are legion. In particular this rule generates events when the directory _vti_bin is accessed. This directory contains sensitive files that may be utilized in an attack against the server. Ease of Attack: Simple. Many exploits exist.
This rule will alert when an attempt to enumerate a Microsoft Frontpage directory is detected.
No public information
Known false positives, with the described conditions
A user who is using the "discuss" toolbar in Microsoft Internet Explorer may inadvertently generate an event from this rule, due to the browser making a check for Office Server Extensions. See this URI for more details. http://www.webmasterworld.com/forum39/2158.htm
Cisco Talos Brian Caswell Nigel Houghton
No rule groups
None
No information provided
None
Tactic: Collection
Technique: Automated Collection
For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org
©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.
