[Snort-sigs] Wordpress brute force rule-wp-login.php

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Tue Sep 9 11:26:17 EDT 2014


You are missing file_data tag.

http://manual.snort.org/node32.html#SECTION004525000000000000000

Regards,

On Tue, Sep 9, 2014 at 12:15 PM, akh form <akhform at ...2420...> wrote:

> Hello all,
>
> I'm starting with snort rules, and I have an issue with of them, i'd like
> to block that kind of traffic with snort 2.9.6.2:
>
> "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
> VA8Q-SW7mZkAAC2VsksAAABe
>
> so I activated the following rules, which should drop the packet after 10
> atempts:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> Wordpress brute-force login attempt"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
> detection_filter:track by_src, count 10, seconds 60; metadata:service http;
> sid:26557; rev:3;)
>
> But unfortunally that rule is not working for me, I probably miss
> something, so any help will be appreciate.
>
> Thanks in advance.
>
>
> Snort:2.9.6.2
> snortrules-snapshot-2962
>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce.
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140909/fec686ef/attachment.html>


More information about the Snort-sigs mailing list