Snort mailing list archives
Re: Wordpress brute force rule-wp-login.php
From: "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>
Date: Tue, 9 Sep 2014 12:26:17 -0300
You are missing file_data tag. http://manual.snort.org/node32.html#SECTION004525000000000000000 Regards, On Tue, Sep 9, 2014 at 12:15 PM, akh form <akhform () gmail com> wrote:
Hello all, I'm starting with snort rules, and I have an issue with of them, i'd like to block that kind of traffic with snort 2.9.6.2: "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct. VA8Q-SW7mZkAAC2VsksAAABe so I activated the following rules, which should drop the packet after 10 atempts: drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri; detection_filter:track by_src, count 10, seconds 60; metadata:service http; sid:26557; rev:3;) But unfortunally that rule is not working for me, I probably miss something, so any help will be appreciate. Thanks in advance. Snort:2.9.6.2 snortrules-snapshot-2962 ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Rodrigo Montoro (Sp0oKeR) http://spookerlabs.blogspot.com http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Wordpress brute force rule-wp-login.php akh form (Sep 09)
- Re: Wordpress brute force rule-wp-login.php Rodrigo Montoro(Sp0oKeR) (Sep 09)