[Snort-sigs] Wordpress brute force rule-wp-login.php

akh form akhform at ...2420...
Tue Sep 9 11:15:31 EDT 2014


Hello all,

I'm starting with snort rules, and I have an issue with of them, i'd like
to block that kind of traffic with snort 2.9.6.2:

"POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
VA8Q-SW7mZkAAC2VsksAAABe

so I activated the following rules, which should drop the packet after 10
atempts:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
Wordpress brute-force login attempt"; flow:to_server,established;
content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
detection_filter:track by_src, count 10, seconds 60; metadata:service http;
sid:26557; rev:3;)

But unfortunally that rule is not working for me, I probably miss
something, so any help will be appreciate.

Thanks in advance.


Snort:2.9.6.2
snortrules-snapshot-2962
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140909/99fd3baf/attachment.html>


More information about the Snort-sigs mailing list