Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / APPLICATION LAYER / HTTP / SCANNING

Web Server Enumeration

Attacker probes server-specific paths, files, and artifacts to identify technology stack (Apache, Nginx, IIS, Flask, Jetty, XAMPP) and locate sensitive config/log files


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Red Flags

  • Requests to server-specific directories (/server-status, /WEB-INF/, /xampp/)
  • Access attempts to config files (httpd.conf, web.config, nginx.conf)
  • Probing default install paths (/manager/html, /phpmyadmin/)
  • Log file access attempts (/access.log, /error.log)
  • Rapid requests across multiple tech-specific paths (multi-stack probing)

Filters

# Apache enumeration
http.request.uri matches "(?i)/(server-status|server-info|apache|httpd\.conf)"

# Nginx enumeration
http.request.uri matches "(?i)/(nginx\.conf|nginx_status)"

# IIS enumeration
http.request.uri matches "(?i)/(web\.config|aspnet_client)"

# Tomcat / Jetty enumeration
http.request.uri matches "(?i)/(manager/html|WEB-INF|jmx-console)"

# Flask / Python debug
http.request.uri matches "(?i)/(console|__debug__|werkzeug)"

# XAMPP default paths
http.request.uri matches "(?i)/(xampp|phpmyadmin|dashboard)"

# Log file probing
http.request.uri matches "(?i)/(access\.log|error\.log|\.log)"