[Snort-users] Users are not able to login with Wordpress Login Bruteforcing rule

waldo kitty wkitty42 at ...14940...
Thu Aug 6 21:25:46 EDT 2015


On 08/06/2015 07:30 PM, Gary Liang wrote:
> I got this wordpress login bruteforcing rule from
> https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
> Wordpress Login Bruteforcing Detected"; flow:to_server,established;
> content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST";
> http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|";
> http_client_body; threshold: type both, track by_src, count 5, seconds 60;
> classtype:attempted-recon; sid:2014020; rev:3;)
>
> When I change it from 'alert' to 'reject', I am not able to login. (It says
> connection is reset) I don't quite understand what the rule means.

the key is that it looks for five attempts within 60 seconds... apparently you 
or your browser are trying to login in five or more times within 60 seconds by 
POSTing to the given page...

> (what I understand is when logging, it looks for log or 3d in post/get
> method. Look for client_body pwd 3d. attempted-recon means , it's someone
> "probing" the server)

3d is the hex code for the equals sign "="...

> Only one user is able to login to wordpress, when the 'reject' is used.
> Three other users has "ERR_CONNECTION_RESET" in Chrome.

what browser is the successful user using??

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list