WAF Alert Details
Alert ID: WAF-DIRECTORY-SCAN-7842
Alert Time: 2024-02-09 16:45:22 EST
Severity: MEDIUM (62/100)
Source: Cloudflare WAF
Rule: “Directory Enumeration Scan Detected”
MITRE ATT&CK: T1594 – Search Victim-Owned Websites
Alert Details:
Detection: Directory/file enumeration against company website
Target: www.company.com
Source IP: 185.143.221[.]89 (Romania)
Time Window: 16:30 – 16:45 EST
Requests: 2,847
Pattern: Sequential directory/file brute-forcing
Request Patterns Observed:
– /admin
– /admin.php
– /administrator
– /wp-admin
– /wp-login.php
– /backup
– /backup.zip
– /backup.tar.gz
– /.git
– /.env
– /config
– /config.php
– /database.sql
– /phpinfo.php
– /test.php
– /dev
– /development
– /api
– /api/v1
– /swagger
– /swagger-ui.html
Response Codes:
– 404 (Not Found): 2,542 requests
– 403 (Forbidden): 285 requests
– 200 (OK): 20 requests (public pages only)
User Agent: Mozilla/5.0 (compatible; DirBuster/2.0)
Tool Signature: DirBuster/Dirb style enumeration
Threat Intelligence:
– Source IP associated with known scanning campaigns
– Pattern matches pre-attack reconnaissance
– No successful directory access to sensitive areas
SOC Investigation Process
| Step | Action | Tools Used | Findings |
|---|---|---|---|
| 1. Alert Validation | Verify scan pattern in WAF logs | Cloudflare Analytics | Confirmed directory enumeration scan |
| 2. Source Analysis | Investigate attacker IP | GreyNoise, AbuseIPDB | IP known for web scanning; 47 reports |
| 3. Impact Assessment | Check if any sensitive files accessed | WAF Logs, Web Server Logs | No successful access to sensitive files |
| 4. IP Blocking | Block attacker at edge | Cloudflare Firewall Rules | IP added to blocklist |
| 5. Sensitive File Audit | Ensure no sensitive files exposed | Web Team Review | Confirmed .git, .env, backups not accessible |
Jira Incident Report
Ticket: SOC-2024-048
Summary: T1594 – Directory Enumeration Scan Against Company Website
Status: RESOLVED
Resolution: RECONNAISSANCE – Blocked
Priority: P3 – LOW
Labels: T1594, website-recon, directory-scan, waf, cloudflare
Components: Web-Security, Perimeter-Defense
INCIDENT ANALYSIS REPORT
1. Initial Context:
- Detection Source: Cloudflare WAF.
- Alert: “Directory Enumeration Scan Detected”.
- Target: www.company.com.
- Source IP: 185.143.221[.]89 (Romania).
- Time: 2024-02-09 16:30-16:45 EST.
- Technique: MITRE ATT&CK T1594 – Search Victim-Owned Websites.
2. Technical Analysis:
- Scan Details:
- Tool: DirBuster/Dirb directory enumeration.
- Requests: 2,847 in 15 minutes.
- Pattern: Common directory/file names brute-forced.
- User Agent: “Mozilla/5.0 (compatible; DirBuster/2.0)”.
- Targets Attempted:
- Admin interfaces (/admin, /wp-admin)
- Backup files (/backup.zip, /database.sql)
- Source control (/.git)
- Environment files (/.env)
- Development endpoints (/api, /dev, /test)
- Results:
- 2,542 requests returned 404 (not found)
- 285 requests returned 403 (forbidden – access denied)
- 20 requests returned 200 (public pages only)
- Source Analysis:
- IP: 185.143.221[.]89 (Romania VPS)
- AbuseIPDB: 47 reports for web scanning
- GreyNoise: Classified as “scanner” – opportunistic
3. Investigation Findings:
- Timeline:
16:30 – Scan begins
16:30-16:45 – 2,847 requests logged
16:45 – WAF threshold exceeded, alert triggered
16:47 – SOC begins investigation
16:50 – IP added to blocklist
16:52 – Scan stops (IP blocked)
- Security Posture Validation:
- No sensitive files were accessible.
- .git directory properly configured to return 404.
- .env file not accessible.
- Backup files not present on web server.
- Admin interfaces properly restricted.
4. Containment Actions:
- Immediate Actions:
- Added source IP to Cloudflare blocklist.
- Created firewall rule to block IP at edge.
- Verified no successful access to sensitive areas.
- Prevention:
- Reviewed web server configuration for sensitive file exposure.
- Confirmed all sensitive directories properly restricted.
- Enhanced WAF rules for directory enumeration detection.
5. Root Cause Analysis:
- Primary Cause: External attacker conducting automated website reconnaissance.
- Contributing Factors: Public-facing website naturally attracts scanning.
6. Business Impact:
- Operational Impact: None.
- Data Exposure: None.
- Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Attacker IP blocked.
WAF rules enhanced.
Web server configuration audited.
8. Conclusion:
This incident involved automated directory enumeration against the company website. The scan was detected by WAF and blocked before any sensitive information was accessed. No compromise occurred.
Closure Rationale: Attack blocked; no data exposure.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 17:30 EST