Sorry to cross post this - I was directed to the DEVCENTRE as a more likely setting to find an answer to this.
I'm trying to stem the flood of wordpress brute force attacks coming INTO our network (we are a web host, so host thousands of WP sites).
Detecting WP logins is relatively easy, by setting up a signature that looks for the regex wp\-login\.php in the http-req-uri-path context with the http-method = POST qualifier. I can now see all of the wp-login requests coming into our network.
However, detecting a FAILED WP login means also detecting the 200 response code from the web server (WordPress issues a 302 redirect upon successful login, a 200 upon failure).
I have tried adding an extra AND condition to my signature which checks for http-rsp-code = 200 but it doesn't trigger. My Custom Vulnerablity Sig looks like this
Custom Vuln Signature:
Severity : Informational
Default Action : Alert
Direction : client2server
Affected System : server
Scope : Transaction
Ordered Condition Match
Condition 1 : pattern-match http-req-uri-path ~= wp\-login\.php
Condition 2 : equal-to http-rsp-code == 200
Why is this failing to work? Without Condition 2 it detects all wp logins, but with Condition 2 enabled it sees nothing. It appears that if I mix a http-req and http-rsp in any way it fails. Help :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!