Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP PostfixAdmin protected alias deletion attempt

Rule Explanation

This event is generated when an authenticated admin attempts to delete an alias in the PostfixAdmin web admin tool. Impact: Web Application Attack Details: Rule checks for an attempt to delete a protected alias in PostfixAdmin. Ease of Attack:

What To Look For

Known Usage

No public information

False Positives

Known false positives, with the described conditions

There is no way to discern a malicious alias deletion from a benign one, so this rule will alert on all deletion attempts.

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

Additional Links

Rule Vulnerability

CVE Additional Information

CVE-2017-5930
The AliasHandler component in PostfixAdmin before 3.0.2 allows remote authenticated domain admins to delete protected aliases via the delete parameter to delete.php, involving a missing permission check.
Details
Severity Base Score2.7
Impact Score1.4 Exploit Score1.2
Confidentiality ImpactNONE Integrity ImpactLOW
Availability ImpactNONE Access Vector
Authentication Ease of Access