[Snort-users] Users are not able to login with Wordpress Login Bruteforcing rule

Gary Liang figo2476 at ...11827...
Thu Aug 6 19:30:39 EDT 2015


I got this wordpress login bruteforcing rule from
https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SERVER Wordpress Login Bruteforcing Detected";
flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern;
http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body;
content:"pwd|3d|"; http_client_body; threshold: type both, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;)

When I change it from 'alert' to 'reject', I am not able to login. (It says
connection is reset) I don't quite understand what the rule means. (what I
understand is when logging, it looks for log or 3d in post/get method. Look
for client_body pwd 3d. attempted-recon means , it's someone "probing" the
server)

Only one user is able to login to wordpress, when the 'reject' is used.
Three other users has "ERR_CONNECTION_RESET" in Chrome.

Regards
Kenpeter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150807/f4f27189/attachment.html>


More information about the Snort-users mailing list