RE : Wordpress brute force rule-wp-login.php

[rmkml <rmkml () yahoo fr>]

Hello, 

Need more information for helping you. 

Could you try disabling cksum vérification ? (-k none)

Test without detection_filter? 

Are you sure drop work on your test? 

Could you share a pcap? 

How to test? Wget or curl non caching web client? 

Regards
@Rmkml





-------- Message d'origine --------
De : akh form <akhform () gmail com> 
Date :09/09/2014  17:15  (GMT+01:00) 
A : snort-sigs () lists sourceforge net 
Objet : [Snort-sigs] Wordpress brute force rule-wp-login.php 

Hello all,

I'm starting with snort rules, and I have an issue with of them, i'd like to block that kind of traffic with snort 
2.9.6.2:

"POST /wp-login.php HTTP/1.0" 301 249 "-" "-" gzip:OK In:- Out:-:-pct. VA8Q-SW7mZkAAC2VsksAAABe

so I activated the following rules, which should drop the packet after 10 atempts:

drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Wordpress brute-force login attempt"; 
flow:to_server,established; content:"POST"; nocase; http_method; content:"/wp-login.php"; http_uri; 
detection_filter:track by_src, count 10, seconds 60; metadata:service http; sid:26557; rev:3;)

But unfortunally that rule is not working for me, I probably miss something, so any help will be appreciate.

Thanks in advance.


Snort:2.9.6.2
snortrules-snapshot-2962

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!