SID 1:45454

Report a false positive

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP PostfixAdmin protected alias deletion attempt

Rule Explanation

This event is generated when an authenticated admin attempts to delete an alias in the PostfixAdmin web admin tool. Impact: Web Application Attack Details: Rule checks for an attempt to delete a protected alias in PostfixAdmin. Ease of Attack:

What To Look For

No information provided

Known Usage

No public information

False Positives

Known false positives, with the described conditions

There is no way to discern a malicious alias deletion from a benign one, so this rule will alert on all deletion attempts.

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

CVE-2017-5930

Additional Links

attack.mitre.org/techniques/T1070
attack.mitre.org/techniques/T1107
github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb

Rule Vulnerability

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2017-5930
 Loading description