Snort mailing list archives
Users are not able to login with Wordpress Login Bruteforcing rule
From: Gary Liang <figo2476 () gmail com>
Date: Fri, 7 Aug 2015 09:30:39 +1000
I got this wordpress login bruteforcing rule from https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;) When I change it from 'alert' to 'reject', I am not able to login. (It says connection is reset) I don't quite understand what the rule means. (what I understand is when logging, it looks for log or 3d in post/get method. Look for client_body pwd 3d. attempted-recon means , it's someone "probing" the server) Only one user is able to login to wordpress, when the 'reject' is used. Three other users has "ERR_CONNECTION_RESET" in Chrome. Regards Kenpeter
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Users are not able to login with Wordpress Login Bruteforcing rule Gary Liang (Aug 06)
- Re: Users are not able to login with Wordpress Login Bruteforcing rule waldo kitty (Aug 07)