Activity Processors: Error Processor: Incident - Unknown Common Directory Requested

Complexity: Suspicious (1.0)

Default Response: 5x = Common Directory Enumeration Incident

Cause: This incident is triggered when a user requests a directory on the server that does not exist, and that directory name is in a list of commonly used directory names (for example: http://www.example.com/public/ where "public" is not a real directory).

Behavior: Often times, administrators will upload sensitive content onto a webserver in an obscure location and not link to that content anywhere on the site. The assumption is that the content is private because no one will find it. However humans are somewhat predictable, so it's actually quite common for two administrators to pick the same "obscure" location to place sensitive content. As such, hackers have compiled a list of the most commonly chosen directory names where sensitive content is often stored, and they will basically test every name in the list to see if a site has a directory by that name. If it does, the attacker is able to locate and obtain that sensitive content. An example of a tool that allows attackers to quickly identify hidden directories is called "DirBuster" (https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project).