Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE : Wordpress brute force rule-wp-login.php

From: akh form <akhform () gmail com>
Date: Wed, 10 Sep 2014 10:24:55 +0200
Hello,

What works fine for me, was that rule, hope it will help someone else:

reject tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Wordpress
Brute Force Login"; flow:to_server,established;content:"POST"; nocase;
http_method; uricontent:"/wp-login.php"; nocase; content:!"wp-submit";
nocase; classtype:web-application-attack; sid:90000100; rev:1;)

All that bad traffic was block, and no issue found on Wordpress.

Best regards;

2014-09-09 18:24 GMT+02:00 akh form <akhform () gmail com>:


Hello,

Thanks for your reply, please fiind my answers:

Could you try disabling cksum vérification ? (-k none)
    --> done no change

Test without detection_filter?
   --> Done and not working also

Are you sure drop work on your test?
    ---> drop and reject work on the other file

Could you share a pcap?
    ---> Here a trace i captured:

.z[1].......E..@/?...S.Wb....P.......&.s3u.v0.F
.POST./wp-login.php.HTTP/1.0

.Host:.xxxxxxxx.com

.Content-Type:.application/x-www-form-urlencoded

.Content-Length:.26

.

.log=admin&pwd=A123powerx-*

Hope this can help, thanks.




2014-09-09 18:15 GMT+02:00 rmkml <rmkml () yahoo fr>:


Hello,

Need more information for helping you.

Could you try disabling cksum vérification ? (-k none)

Test without detection_filter?

Are you sure drop work on your test?

Could you share a pcap?

How to test? Wget or curl non caching web client?

Regards
@Rmkml





-------- Message d'origine --------
De : akh form
Date :09/09/2014 17:15 (GMT+01:00)
A : snort-sigs () lists sourceforge net
Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php

Hello all,

I'm starting with snort rules, and I have an issue with of them, i'd like
to block that kind of traffic with snort 2.9.6.2:

"POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
VA8Q-SW7mZkAAC2VsksAAABe

so I activated the following rules, which should drop the packet after 10
atempts:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Wordpress brute-force login attempt"; flow:to_server,established;
content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
detection_filter:track by_src, count 10, seconds 60; metadata:service http;
sid:26557; rev:3;)

But unfortunally that rule is not working for me, I probably miss
something, so any help will be appreciate.

Thanks in advance.


Snort:2.9.6.2
snortrules-snapshot-2962





------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: