Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Users are not able to login with Wordpress Login Bruteforcing rule

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 06 Aug 2015 21:25:46 -0400
On 08/06/2015 07:30 PM, Gary Liang wrote:

I got this wordpress login bruteforcing rule from
https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
Wordpress Login Bruteforcing Detected"; flow:to_server,established;
content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST";
http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|";
http_client_body; threshold: type both, track by_src, count 5, seconds 60;
classtype:attempted-recon; sid:2014020; rev:3;)

When I change it from 'alert' to 'reject', I am not able to login. (It says
connection is reset) I don't quite understand what the rule means.


the key is that it looks for five attempts within 60 seconds... apparently you 
or your browser are trying to login in five or more times within 60 seconds by 
POSTing to the given page...


(what I understand is when logging, it looks for log or 3d in post/get
method. Look for client_body pwd 3d. attempted-recon means , it's someone
"probing" the server)


3d is the hex code for the equals sign "="...


Only one user is able to login to wordpress, when the 'reject' is used.
Three other users has "ERR_CONNECTION_RESET" in Chrome.


what browser is the successful user using??

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: