WAF Alert Details
Alert ID: WAF-DIRECTORY-SCAN-7842
Alert Time: 2024-02-09 16:45:22 EST
Severity: MEDIUM (62/100)
Source: Cloudflare WAF
Rule: “Directory Enumeration Scan Detected”
MITRE ATT&CK: T1594 – Search Victim-Owned Websites
Alert Details:
Detection: Directory/file enumeration against company website
Target: www.company.com
Source IP: 185.143.221[.]89 (Romania)
Time Window: 16:30 – 16:45 EST
Requests: 2,847
Pattern: Sequential directory/file brute-forcing
Request Patterns Observed:
– /admin
– /admin.php
– /administrator
– /wp-admin
– /wp-login.php
– /backup
– /backup.zip
– /backup.tar.gz
– /.git
– /.env
– /config
– /config.php
– /database.sql
– /phpinfo.php
– /test.php
– /dev
– /development
– /api
– /api/v1
– /swagger
– /swagger-ui.html
Response Codes:
– 404 (Not Found): 2,542 requests
– 403 (Forbidden): 285 requests
– 200 (OK): 20 requests (public pages only)
User Agent: Mozilla/5.0 (compatible; DirBuster/2.0)
Tool Signature: DirBuster/Dirb style enumeration
Threat Intelligence:
– Source IP associated with known scanning campaigns
– Pattern matches pre-attack reconnaissance
– No successful directory access to sensitive areas
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify scan pattern in WAF logs
Cloudflare Analytics
Confirmed directory enumeration scan
2. Source Analysis
Investigate attacker IP
GreyNoise, AbuseIPDB
IP known for web scanning; 47 reports
3. Impact Assessment
Check if any sensitive files accessed
WAF Logs, Web Server Logs
No successful access to sensitive files
4. IP Blocking
Block attacker at edge
Cloudflare Firewall Rules
IP added to blocklist
5. Sensitive File Audit
Ensure no sensitive files exposed
Web Team Review
Confirmed .git, .env, backups not accessible
Jira Incident Report
Ticket: SOC-2024-048
Summary: T1594 – Directory Enumeration Scan Against Company Website
Status: RESOLVED
Resolution: RECONNAISSANCE – Blocked
Priority: P3 – LOW
Labels: T1594, website-recon, directory-scan, waf, cloudflare
Components: Web-Security, Perimeter-Defense
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cloudflare WAF.
Alert: “Directory Enumeration Scan Detected”.
Target: www.company.com.
Source IP: 185.143.221[.]89 (Romania).
Time: 2024-02-09 16:30-16:45 EST.
Technique: MITRE ATT&CK T1594 – Search Victim-Owned Websites.
2. Technical Analysis:
Scan Details:
Tool: DirBuster/Dirb directory enumeration.
Requests: 2,847 in 15 minutes.
Pattern: Common directory/file names brute-forced.
User Agent: “Mozilla/5.0 (compatible; DirBuster/2.0)”.
Targets Attempted:
Admin interfaces (/admin, /wp-admin)
Backup files (/backup.zip, /database.sql)
Source control (/.git)
Environment files (/.env)
Development endpoints (/api, /dev, /test)
Results:
2,542 requests returned 404 (not found)
285 requests returned 403 (forbidden – access denied)
20 requests returned 200 (public pages only)
Source Analysis:
IP: 185.143.221[.]89 (Romania VPS)
AbuseIPDB: 47 reports for web scanning
GreyNoise: Classified as “scanner” – opportunistic
3. Investigation Findings:
Timeline:
16:30 – Scan begins
16:30-16:45 – 2,847 requests logged
16:45 – WAF threshold exceeded, alert triggered
16:47 – SOC begins investigation
16:50 – IP added to blocklist
16:52 – Scan stops (IP blocked)
Security Posture Validation:
No sensitive files were accessible.
.git directory properly configured to return 404.
.env file not accessible.
Backup files not present on web server.
Admin interfaces properly restricted.
4. Containment Actions:
Immediate Actions:
Added source IP to Cloudflare blocklist.
Created firewall rule to block IP at edge.
Verified no successful access to sensitive areas.
Prevention:
Reviewed web server configuration for sensitive file exposure.
Confirmed all sensitive directories properly restricted.
Enhanced WAF rules for directory enumeration detection.
5. Root Cause Analysis:
Primary Cause: External attacker conducting automated website reconnaissance.
Contributing Factors: Public-facing website naturally attracts scanning.
6. Business Impact:
Operational Impact: None.
Data Exposure: None.
Reputational Impact: None.
7. Remediation & Prevention:
Completed Actions:
Attacker IP blocked.
WAF rules enhanced.
Web server configuration audited.
8. Conclusion:
This incident involved automated directory enumeration against the company website. The scan was detected by WAF and blocked before any sensitive information was accessed. No compromise occurred.
Closure Rationale: Attack blocked; no data exposure.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-09 17:30 EST