[Snort-sigs] RE : Wordpress brute force rule-wp-login.php

akh form akhform at ...2420...
Wed Sep 10 04:24:55 EDT 2014


Hello,

What works fine for me, was that rule, hope it will help someone else:

reject tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Wordpress
Brute Force Login"; flow:to_server,established;content:"POST"; nocase;
http_method; uricontent:"/wp-login.php"; nocase; content:!"wp-submit";
nocase; classtype:web-application-attack; sid:90000100; rev:1;)

All that bad traffic was block, and no issue found on Wordpress.

Best regards;

2014-09-09 18:24 GMT+02:00 akh form <akhform at ...2420...>:

> Hello,
>
> Thanks for your reply, please fiind my answers:
>
> Could you try disabling cksum vérification ? (-k none)
>     --> done no change
>
> Test without detection_filter?
>    --> Done and not working also
>
> Are you sure drop work on your test?
>     ---> drop and reject work on the other file
>
> Could you share a pcap?
>     ---> Here a trace i captured:
>
> .z[1].......E..@/?...S.Wb....P.......&.s3u.v0.F
> .POST./wp-login.php.HTTP/1.0
>
> .Host:.xxxxxxxx.com
>
> .Content-Type:.application/x-www-form-urlencoded
>
> .Content-Length:.26
>
> .
>
> .log=admin&pwd=A123powerx-*
>
> Hope this can help, thanks.
>
>
>
>
> 2014-09-09 18:15 GMT+02:00 rmkml <rmkml at ...174...>:
>
>> Hello,
>>
>> Need more information for helping you.
>>
>> Could you try disabling cksum vérification ? (-k none)
>>
>> Test without detection_filter?
>>
>> Are you sure drop work on your test?
>>
>> Could you share a pcap?
>>
>> How to test? Wget or curl non caching web client?
>>
>> Regards
>> @Rmkml
>>
>>
>>
>>
>>
>> -------- Message d'origine --------
>> De : akh form
>> Date :09/09/2014 17:15 (GMT+01:00)
>> A : snort-sigs at lists.sourceforge.net
>> Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php
>>
>> Hello all,
>>
>> I'm starting with snort rules, and I have an issue with of them, i'd like
>> to block that kind of traffic with snort 2.9.6.2:
>>
>> "POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct.
>> VA8Q-SW7mZkAAC2VsksAAABe
>>
>> so I activated the following rules, which should drop the packet after 10
>> atempts:
>>
>> drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
>> Wordpress brute-force login attempt"; flow:to_server,established;
>> content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri;
>> detection_filter:track by_src, count 10, seconds 60; metadata:service http;
>> sid:26557; rev:3;)
>>
>> But unfortunally that rule is not working for me, I probably miss
>> something, so any help will be appreciate.
>>
>> Thanks in advance.
>>
>>
>> Snort:2.9.6.2
>> snortrules-snapshot-2962
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140910/a31615a8/attachment.html>


More information about the Snort-sigs mailing list