Snort mailing list archives
Simple rule to match /wp-admin/
From: Avery Rozar <Avery.Rozar () i-techsupport com>
Date: Tue, 11 Mar 2014 23:49:42 +0000
I’ve noticed many attempts on my network to access /wp-admin/ on all servers accessible via the web. I do not have any wordpress sites, so this is obviously malicious in nature. I would like to setup a rule to drop any and all attempts for wp-admin. The folioing is rule I added into the local.rules, and the sid-message.map has been updated via pulled pork. This rule is not matching attempts. Any ideas or suggestions? drop tcp any any -> $HOME_NET $HTTP_PORTS (msg:"drop - WP-Admin attempt"; flow:to_server; content:"wp-admin"; nocase; metadata:policy security-ips drop, service http; classtype:web-application-attack; sid:10000001; rev:1;) ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Simple rule to match /wp-admin/ Avery Rozar (Mar 11)