Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

itmgr — Tue, 04 Mar 2014 06:41:37 GMT

Hi,

I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.

Thanks!

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

HULK — Tue, 04 Mar 2014 07:30:02 GMT

Do you have a pcap file taken at client or server and try to find a matching signature.

FYI Trigger Conditions for Brute Force Signatures

Thanks

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

itmgr — Tue, 04 Mar 2014 16:55:41 GMT

I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.

POST /login/ HTTP/1.1

Host: www.mysite.com

Connection: keep-alive

Content-Length: 164

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://www.mysite.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://www.mysite.com/login/

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check

log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK

Date: Tue, 04 Mar 2014 07:44:02 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/

X-Frame-Options: SAMEORIGIN

Content-Length: 4373

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

<!--[if IE 8]>

<![endif]-->

<head>

<title>mysite www &rsaquo; Log In</title>

<!--[if lte IE 7]>

<![endif]-->

addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};

function s(id,pos){g(id).left=pos+'px';}

function g(id){return document.getElementById(id).style;}

function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}

addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});

</script>

</head>

<h1><a href="http://wordpress.org/" title="Powered by WordPress">mysite www</a></h1>

<div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />

</div>

<p>

<label for="user_login">Username<br />

</p>

<p>

<label for="user_pass">Password<br />

</p>

1 + one = <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p>

<br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p>

</p>

</form>

<a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password?</a>

</p>

function wp_attempt_focus(){

setTimeout( function(){ try{

d = document.getElementById('user_login');

if( d.value != '' )

d.value = '';

d.focus();

d.select();

} catch(e){}

}, 200);

}

if(typeof wpOnload=='function')wpOnload();

</script>

<p id="backtoblog"><a href="http://www.mysite.com/" title="Are you lost?">← Back to mysite www</a></p>

</div>

</body>

</html>

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

hyadavalli — Tue, 04 Mar 2014 17:47:13 GMT

Hello,

I'd recommend create a rule in vulnerability protection object with category set to brute-force and action set to drop-all-packets.

Hope this helps.

Regards,

Hari Yadavalli

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

goku123 — Tue, 04 Mar 2014 17:57:21 GMT

Please also consider posting this question in the DevCenter community:

DevCenter

This community is for users to share custom content such as custom signatures, scripts etc. Participants in DevCenter may be able to shed more light on what additional tuning may be needed to your custom signature (which context, what pattern etc) to match the stream in question.

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

itmgr — Tue, 04 Mar 2014 19:56:19 GMT

Thanks for the suggestion @goku123 ! I just posted it to the DevCenter as well. I will take all the help I can get with this one. I know the device must be capable of this, I'm just too inexperienced with it to know how to do it at this point.

topic Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?) in General Topics

Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)