How would I create a custom threat signature that looks for a server's "invalid username" response to a failed login attempt?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How would I create a custom threat signature that looks for a server's "invalid username" response to a failed login attempt?

Not applicable

Hi,

I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.

I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.

Thanks!

POST /login/ HTTP/1.1

Host: www.mysite.com

Connection: keep-alive

Content-Length: 164

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://www.mysite.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://www.mysite.com/login/

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check

log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK

Date: Tue, 04 Mar 2014 07:44:02 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/

X-Frame-Options: SAMEORIGIN

Content-Length: 4373

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

  <!--[if IE 8]>

  <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">

  <![endif]-->

  <!--[if !(IE 😎 ]><!-->

  <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">

  <!--<![endif]-->

  <head>

  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

  <title>mysite www &rsaquo; Log In</title>

  <link rel='stylesheet' id='open-sans-css'  href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&#038;subset=latin%2Clatin-ext&#038;ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='dashicons-css'  href='http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='wp-admin-css'  href='http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='buttons-css'  href='http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='colors-fresh-css'  href='http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1' type='text/css' media='all' />

<!--[if lte IE 7]>

<link rel='stylesheet' id='ie-css'  href='http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1' type='text/css' media='all' />

<![endif]-->

<meta name='robots' content='noindex,follow' />

<script type="text/javascript">

addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};

function s(id,pos){g(id).left=pos+'px';}

function g(id){return document.getElementById(id).style;}

function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}

addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});

</script>

  </head>

  <body class="login login-action-login wp-core-ui">

  <div id="login">

  <h1><a href="http://wordpress.org/" title="Powered by WordPress">mysite www</a></h1>

  <div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />

</div>

<form name="loginform" id="loginform" action="http://www.mysite.com/login/" method="post">

  <p>

  <label for="user_login">Username<br />

  <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>

  </p>

  <p>

  <label for="user_pass">Password<br />

  <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>

  </p>

  <p class="cptch_block"><br /> <input type="hidden" name="cptch_result" value="hIE=" />

  <input type="hidden" name="cptch_time" value="1393919042" />

  <input type="hidden" value="Version: 2.4" />

  1 &#43; on&#101; =  <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p>

  <br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever"  /> Remember Me</label></p>

  <p class="submit">

  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />

  <input type="hidden" name="redirect_to" value="http://www.mysite.com/wp-admin/" />

  <input type="hidden" name="testcookie" value="1" />

  </p>

</form>

<p id="nav">

  <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password?</a>

</p>

<script type="text/javascript">

function wp_attempt_focus(){

setTimeout( function(){ try{

d = document.getElementById('user_login');

if( d.value != '' )

d.value = '';

d.focus();

d.select();

} catch(e){}

}, 200);

}

if(typeof wpOnload=='function')wpOnload();

</script>

  <p id="backtoblog"><a href="http://www.mysite.com/" title="Are you lost?">&larr; Back to mysite www</a></p>

  </div>

  <div class="clear"></div>

  </body>

  </html>

0 REPLIES 0
  • 1562 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!