[Snort-sigs] RE : Wordpress brute force rule-wp-login.php

akh form akhform at ...2420...
Tue Sep 9 12:24:52 EDT 2014


Hello,

Thanks for your reply, please fiind my answers:

Could you try disabling cksum vérification ? (-k none)
    --> done no change

Test without detection_filter?
   --> Done and not working also

Are you sure drop work on your test?
    ---> drop and reject work on the other file

Could you share a pcap?
    ---> Here a trace i captured:

.z[1].......E..@/?...S.Wb....P.......&.s3u.v0.F
.POST./wp-login.php.HTTP/1.0

.Host:.xxxxxxxx.com

.Content-Type:.application/x-www-form-urlencoded

.Content-Length:.26

.

.log=admin&pwd=A123powerx-*

Hope this can help, thanks.




2014-09-09 18:15 GMT+02:00 rmkml <rmkml at ...174...>:

> Hello,
>
> Need more information for helping you.
>
> Could you try disabling cksum vérification ? (-k none)
>
> Test without detection_filter?
>
> Are you sure drop work on your test?
>
> Could you share a pcap?
>
> How to test? Wget or curl non caching web client?
>
> Regards
> @Rmkml
>
>
>
>
>
> -------- Message d'origine --------
> De : akh form
> Date :09/09/2014 17:15 (GMT+01:00)
> A : snort-sigs at lists.sourceforge.net
> Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php
>
> Hello all,
>
> I'm starting with snort rules, and I have an issue with of them, i'd like
> to block that kind of traffic with snort 2.9.6.2:
>
> "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
> VA8Q-SW7mZkAAC2VsksAAABe
>
> so I activated the following rules, which should drop the packet after 10
> atempts:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> Wordpress brute-force login attempt"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
> detection_filter:track by_src, count 10, seconds 60; metadata:service http;
> sid:26557; rev:3;)
>
> But unfortunally that rule is not working for me, I probably miss
> something, so any help will be appreciate.
>
> Thanks in advance.
>
>
> Snort:2.9.6.2
> snortrules-snapshot-2962
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140909/6015a9de/attachment.html>


More information about the Snort-sigs mailing list