Snort mailing list archives
Re: RE : Wordpress brute force rule-wp-login.php
From: akh form <akhform () gmail com>
Date: Wed, 10 Sep 2014 10:24:55 +0200
Hello, What works fine for me, was that rule, hope it will help someone else: reject tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Wordpress Brute Force Login"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/wp-login.php"; nocase; content:!"wp-submit"; nocase; classtype:web-application-attack; sid:90000100; rev:1;) All that bad traffic was block, and no issue found on Wordpress. Best regards; 2014-09-09 18:24 GMT+02:00 akh form <akhform () gmail com>:
Hello, Thanks for your reply, please fiind my answers: Could you try disabling cksum vérification ? (-k none) --> done no change Test without detection_filter? --> Done and not working also Are you sure drop work on your test? ---> drop and reject work on the other file Could you share a pcap? ---> Here a trace i captured: .z[1].......E..@/?...S.Wb....P.......&.s3u.v0.F .POST./wp-login.php.HTTP/1.0 .Host:.xxxxxxxx.com .Content-Type:.application/x-www-form-urlencoded .Content-Length:.26 . .log=admin&pwd=A123powerx-* Hope this can help, thanks. 2014-09-09 18:15 GMT+02:00 rmkml <rmkml () yahoo fr>:Hello, Need more information for helping you. Could you try disabling cksum vérification ? (-k none) Test without detection_filter? Are you sure drop work on your test? Could you share a pcap? How to test? Wget or curl non caching web client? Regards @Rmkml -------- Message d'origine -------- De : akh form Date :09/09/2014 17:15 (GMT+01:00) A : snort-sigs () lists sourceforge net Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php Hello all, I'm starting with snort rules, and I have an issue with of them, i'd like to block that kind of traffic with snort 2.9.6.2: "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct. VA8Q-SW7mZkAAC2VsksAAABe so I activated the following rules, which should drop the packet after 10 atempts: drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri; detection_filter:track by_src, count 10, seconds 60; metadata:service http; sid:26557; rev:3;) But unfortunally that rule is not working for me, I probably miss something, so any help will be appreciate. Thanks in advance. Snort:2.9.6.2 snortrules-snapshot-2962
------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RE : Wordpress brute force rule-wp-login.php rmkml (Sep 09)
- Re: RE : Wordpress brute force rule-wp-login.php akh form (Sep 09)
- Re: RE : Wordpress brute force rule-wp-login.php akh form (Sep 10)
- Re: RE : Wordpress brute force rule-wp-login.php akh form (Sep 09)