Showing results for 
Search instead for 
Did you mean: 
Level 11

Signature 2244 (Apache shielding... access conf.folder) not firing when expected


Following my previous posts on DVWA testing here and here, as signature 1148 triggers on my test and shows svchost reading cmd.exe, I would assume that the 'type' command that I used as command execution input would result in cmd.exe reading the server.key file.  As it is cmd.exe doing the reading, I am wondering how signature 2244 was not triggered (more information below).

When looking for existing Apache signatures, there are many 'Apache Shielding' signatures, and they seem to be fairly uniform across Linux, Solaris and Windows.  I note that the Windows signature name makes specific note of ePO so I am not sure if the Windows signature is specific to ePO, while signatures for the other OS platforms are not.  Anyhoo, signature details as follows:

Sig ID: 2244

Sig Name: Apache (ePO) Shielding - File access conf.folder

Sig description: "...This event indicates an attempt to read a web site conf. file of the Apache by a process other than an Apache process. ..."

Note that the signature severity is 'low' and this is mapped to a log action in my current lab policy.  I have also tested with access to the apache conf file C:\xampp\apache\conf\httpd.conf

I would assume that cmd.exe is not considered an Apache process.

I am wondering if it has something to do with the Apache version running (2.4.10), as it is not strictly listed as supported, however the supported list isnt the same when comparing the website with the HIPS 8.0 installation guide, so not sure!

Any thoughts?

0 Kudos