[Snort-sigs] RE : Wordpress brute force rule-wp-login.php
akhform at ...2420...
Tue Sep 9 12:24:52 EDT 2014
Thanks for your reply, please fiind my answers:
Could you try disabling cksum vérification ? (-k none)
--> done no change
Test without detection_filter?
--> Done and not working also
Are you sure drop work on your test?
---> drop and reject work on the other file
Could you share a pcap?
---> Here a trace i captured:
Hope this can help, thanks.
2014-09-09 18:15 GMT+02:00 rmkml <rmkml at ...174...>:
> Need more information for helping you.
> Could you try disabling cksum vérification ? (-k none)
> Test without detection_filter?
> Are you sure drop work on your test?
> Could you share a pcap?
> How to test? Wget or curl non caching web client?
> -------- Message d'origine --------
> De : akh form
> Date :09/09/2014 17:15 (GMT+01:00)
> A : snort-sigs at lists.sourceforge.net
> Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php
> Hello all,
> I'm starting with snort rules, and I have an issue with of them, i'd like
> to block that kind of traffic with snort 126.96.36.199:
> "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
> so I activated the following rules, which should drop the packet after 10
> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> Wordpress brute-force login attempt"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
> detection_filter:track by_src, count 10, seconds 60; metadata:service http;
> sid:26557; rev:3;)
> But unfortunally that rule is not working for me, I probably miss
> something, so any help will be appreciate.
> Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs