[Snort-sigs] RE : Wordpress brute force rule-wp-login.php

rmkml rmkml at ...174...
Tue Sep 9 12:15:07 EDT 2014


Need more information for helping you. 

Could you try disabling cksum vérification ? (-k none)

Test without detection_filter? 

Are you sure drop work on your test? 

Could you share a pcap? 

How to test? Wget or curl non caching web client? 


-------- Message d'origine --------
De : akh form <akhform at ...2420...> 
Date :09/09/2014  17:15  (GMT+01:00) 
A : snort-sigs at lists.sourceforge.net 
Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php 

Hello all,

I'm starting with snort rules, and I have an issue with of them, i'd like to block that kind of traffic with snort

"POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct. VA8Q-SW7mZkAAC2VsksAAABe

so I activated the following rules, which should drop the packet after 10 atempts:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri; detection_filter:track by_src, count 10, seconds 60; metadata:service http; sid:26557; rev:3;)

But unfortunally that rule is not working for me, I probably miss something, so any help will be appreciate.

Thanks in advance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140909/60d2dc21/attachment.html>

More information about the Snort-sigs mailing list