https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-vuln-signature-with-req-and-rsp-contexts-fails/m-p/18213#M471 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Sorry to cross post this - I was directed to the DEVCENTRE as a more likely setting to find an answer to this. </P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I'm trying to stem the flood of wordpress brute force attacks coming INTO our network (we are a web host, so host thousands of WP sites).</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Detecting WP logins is relatively easy, by setting up a signature that looks for the regex wp\-login\.php in the http-req-uri-path context with the http-method = POST qualifier. I can now see all of the wp-login requests coming into our network.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">However, detecting a FAILED WP login means also detecting the 200 response code from the web server (WordPress issues a 302 redirect upon successful login, a 200 upon failure).</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I have tried adding an extra AND condition to my signature which checks for http-rsp-code = 200 but it doesn't trigger. My Custom Vulnerablity Sig looks like this</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Custom Vuln Signature:</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Severity : Informational</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Default Action : Alert</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Direction : client2server</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Affected System : server</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Signature (Standard)</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Scope : Transaction</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Ordered Condition Match</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Condition 1 : pattern-match http-req-uri-path ~= wp\-login\.php</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Condition 2 : equal-to http-rsp-code == 200</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Why is this failing to work? Without Condition 2 it detects all wp logins, but with Condition 2 enabled it sees nothing. It appears that if I mix a http-req and http-rsp in any way it fails. Help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 01 Aug 2014 06:46:15 GMT SimonBlackler 2014-08-01T06:46:15Z https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-vuln-signature-with-req-and-rsp-contexts-fails/m-p/18213#M471 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Sorry to cross post this - I was directed to the DEVCENTRE as a more likely setting to find an answer to this. </P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I'm trying to stem the flood of wordpress brute force attacks coming INTO our network (we are a web host, so host thousands of WP sites).</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Detecting WP logins is relatively easy, by setting up a signature that looks for the regex wp\-login\.php in the http-req-uri-path context with the http-method = POST qualifier. I can now see all of the wp-login requests coming into our network.</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">However, detecting a FAILED WP login means also detecting the 200 response code from the web server (WordPress issues a 302 redirect upon successful login, a 200 upon failure).</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">I have tried adding an extra AND condition to my signature which checks for http-rsp-code = 200 but it doesn't trigger. My Custom Vulnerablity Sig looks like this</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Custom Vuln Signature:</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Severity : Informational</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Default Action : Alert</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Direction : client2server</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Affected System : server</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Signature (Standard)</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Scope : Transaction</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Ordered Condition Match</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Condition 1 : pattern-match http-req-uri-path ~= wp\-login\.php</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Condition 2 : equal-to http-rsp-code == 200</P><P></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Why is this failing to work? Without Condition 2 it detects all wp logins, but with Condition 2 enabled it sees nothing. It appears that if I mix a http-req and http-rsp in any way it fails. Help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Fri, 01 Aug 2014 06:46:15 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/custom-vuln-signature-with-req-and-rsp-contexts-fails/m-p/18213#M471 SimonBlackler 2014-08-01T06:46:15Z