- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-03-2014 10:41 PM
Hi,
I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.
Thanks!
03-03-2014 11:30 PM
Do you have a pcap file taken at client or server and try to find a matching signature.
FYI Trigger Conditions for Brute Force Signatures
Thanks
03-04-2014 08:55 AM
I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.
POST /login/ HTTP/1.1
Host: www.mysite.com
Connection: keep-alive
Content-Length: 164
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://www.mysite.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://www.mysite.com/login/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check
log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK
Date: Tue, 04 Mar 2014 07:44:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/
X-Frame-Options: SAMEORIGIN
Content-Length: 4373
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 😎 ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">
<!--<![endif]-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>mysite www › Log In</title>
<link rel='stylesheet' id='open-sans-css' href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.8.1' type='text/css' media='all' />
<link rel='stylesheet' id='dashicons-css' href='http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1' type='text/css' media='all' />
<link rel='stylesheet' id='wp-admin-css' href='http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1' type='text/css' media='all' />
<link rel='stylesheet' id='buttons-css' href='http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1' type='text/css' media='all' />
<link rel='stylesheet' id='colors-fresh-css' href='http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1' type='text/css' media='all' />
<!--[if lte IE 7]>
<link rel='stylesheet' id='ie-css' href='http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1' type='text/css' media='all' />
<![endif]-->
<meta name='robots' content='noindex,follow' />
<script type="text/javascript">
addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};
function s(id,pos){g(id).left=pos+'px';}
function g(id){return document.getElementById(id).style;}
function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}
addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});
</script>
</head>
<body class="login login-action-login wp-core-ui">
<div id="login">
<h1><a href="http://wordpress.org/" title="Powered by WordPress">mysite www</a></h1>
<div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />
</div>
<form name="loginform" id="loginform" action="http://www.mysite.com/login/" method="post">
<p>
<label for="user_login">Username<br />
<input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
</p>
<p>
<label for="user_pass">Password<br />
<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
</p>
<p class="cptch_block"><br /> <input type="hidden" name="cptch_result" value="hIE=" />
<input type="hidden" name="cptch_time" value="1393919042" />
<input type="hidden" value="Version: 2.4" />
1 + one = <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p>
<br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p>
<p class="submit">
<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />
<input type="hidden" name="redirect_to" value="http://www.mysite.com/wp-admin/" />
<input type="hidden" name="testcookie" value="1" />
</p>
</form>
<p id="nav">
<a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password?</a>
</p>
<script type="text/javascript">
function wp_attempt_focus(){
setTimeout( function(){ try{
d = document.getElementById('user_login');
if( d.value != '' )
d.value = '';
d.focus();
d.select();
} catch(e){}
}, 200);
}
if(typeof wpOnload=='function')wpOnload();
</script>
<p id="backtoblog"><a href="http://www.mysite.com/" title="Are you lost?">← Back to mysite www</a></p>
</div>
<div class="clear"></div>
</body>
</html>
03-04-2014 09:47 AM
Hello,
I'd recommend create a rule in vulnerability protection object with category set to brute-force and action set to drop-all-packets.
Hope this helps.
Regards,
Hari Yadavalli
03-04-2014 09:57 AM
Please also consider posting this question in the DevCenter community:
This community is for users to share custom content such as custom signatures, scripts etc. Participants in DevCenter may be able to shed more light on what additional tuning may be needed to your custom signature (which context, what pattern etc) to match the stream in question.
03-04-2014 11:56 AM
Thanks for the suggestion @goku123 ! I just posted it to the DevCenter as well. I will take all the help I can get with this one. I know the device must be capable of this, I'm just too inexperienced with it to know how to do it at this point.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!