Attacker probes server-specific paths, files, and artifacts to identify technology stack (Apache, Nginx, IIS, Flask, Jetty, XAMPP) and locate sensitive config/log files
Hunting
Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph
Red Flags
- Requests to server-specific directories (
/server-status,/WEB-INF/,/xampp/) - Access attempts to config files (
httpd.conf,web.config,nginx.conf) - Probing default install paths (
/manager/html,/phpmyadmin/) - Log file access attempts (
/access.log,/error.log) - Rapid requests across multiple tech-specific paths (multi-stack probing)
Filters
# Apache enumeration
http.request.uri matches "(?i)/(server-status|server-info|apache|httpd\.conf)"
# Nginx enumeration
http.request.uri matches "(?i)/(nginx\.conf|nginx_status)"
# IIS enumeration
http.request.uri matches "(?i)/(web\.config|aspnet_client)"
# Tomcat / Jetty enumeration
http.request.uri matches "(?i)/(manager/html|WEB-INF|jmx-console)"
# Flask / Python debug
http.request.uri matches "(?i)/(console|__debug__|werkzeug)"
# XAMPP default paths
http.request.uri matches "(?i)/(xampp|phpmyadmin|dashboard)"
# Log file probing
http.request.uri matches "(?i)/(access\.log|error\.log|\.log)"