Snort mailing list archives
Re: Users are not able to login with Wordpress Login Bruteforcing rule
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 06 Aug 2015 21:25:46 -0400
On 08/06/2015 07:30 PM, Gary Liang wrote:
I got this wordpress login bruteforcing rule from https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;) When I change it from 'alert' to 'reject', I am not able to login. (It says connection is reset) I don't quite understand what the rule means.
the key is that it looks for five attempts within 60 seconds... apparently you or your browser are trying to login in five or more times within 60 seconds by POSTing to the given page...
(what I understand is when logging, it looks for log or 3d in post/get method. Look for client_body pwd 3d. attempted-recon means , it's someone "probing" the server)
3d is the hex code for the equals sign "="...
Only one user is able to login to wordpress, when the 'reject' is used. Three other users has "ERR_CONNECTION_RESET" in Chrome.
what browser is the successful user using?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Users are not able to login with Wordpress Login Bruteforcing rule Gary Liang (Aug 06)
- Re: Users are not able to login with Wordpress Login Bruteforcing rule waldo kitty (Aug 07)