SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.
SERVER-WEBAPP PostfixAdmin protected alias deletion attempt
This event is generated when an authenticated admin attempts to delete an alias in the PostfixAdmin web admin tool.
Web Application Attack
Rule checks for an attempt to delete a protected alias in PostfixAdmin.
Ease of Attack:
What To Look For
No public information
Known false positives, with the described conditions
There is no way to discern a malicious alias deletion from a benign one, so this rule will alert on all deletion attempts.
Cisco Talos Intelligence Group
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information
CVE-2017-5930The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
||Ease of Access||