[Snort-users] Users are not able to login with Wordpress Login Bruteforcing rule
figo2476 at ...11827...
Thu Aug 6 19:30:39 EDT 2015
I got this wordpress login bruteforcing rule from
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SERVER Wordpress Login Bruteforcing Detected";
flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern;
http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body;
content:"pwd|3d|"; http_client_body; threshold: type both, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;)
When I change it from 'alert' to 'reject', I am not able to login. (It says
connection is reset) I don't quite understand what the rule means. (what I
understand is when logging, it looks for log or 3d in post/get method. Look
for client_body pwd 3d. attempted-recon means , it's someone "probing" the
Only one user is able to login to wordpress, when the 'reject' is used.
Three other users has "ERR_CONNECTION_RESET" in Chrome.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users