Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Users are not able to login with Wordpress Login Bruteforcing rule

From: Gary Liang <figo2476 () gmail com>
Date: Fri, 7 Aug 2015 09:30:39 +1000
I got this wordpress login bruteforcing rule from
https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SERVER Wordpress Login Bruteforcing Detected";
flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern;
http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body;
content:"pwd|3d|"; http_client_body; threshold: type both, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;)

When I change it from 'alert' to 'reject', I am not able to login. (It says
connection is reset) I don't quite understand what the rule means. (what I
understand is when logging, it looks for log or 3d in post/get method. Look
for client_body pwd 3d. attempted-recon means , it's someone "probing" the
server)

Only one user is able to login to wordpress, when the 'reject' is used.
Three other users has "ERR_CONNECTION_RESET" in Chrome.

Regards
Kenpeter

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: