Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Not applicable

Hi,

I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this.

Thanks!

5 REPLIES 5

L7 Applicator

Do you have a pcap file taken at client or server and try to find a matching signature.

FYI Trigger Conditions for Brute Force Signatures

Thanks

Not applicable

I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange.

POST /login/ HTTP/1.1

Host: www.mysite.com

Connection: keep-alive

Content-Length: 164

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://www.mysite.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://www.mysite.com/login/

Accept-Encoding: gzip,deflate,sdch

Accept-Language: en-US,en;q=0.8

Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check

log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK

Date: Tue, 04 Mar 2014 07:44:02 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/

X-Frame-Options: SAMEORIGIN

Content-Length: 4373

Connection: close

Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>

  <!--[if IE 8]>

  <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">

  <![endif]-->

  <!--[if !(IE 😎 ]><!-->

  <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">

  <!--<![endif]-->

  <head>

  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

  <title>mysite www &rsaquo; Log In</title>

  <link rel='stylesheet' id='open-sans-css'  href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&#038;subset=latin%2Clatin-ext&#038;ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='dashicons-css'  href='http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='wp-admin-css'  href='http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='buttons-css'  href='http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1' type='text/css' media='all' />

<link rel='stylesheet' id='colors-fresh-css'  href='http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1' type='text/css' media='all' />

<!--[if lte IE 7]>

<link rel='stylesheet' id='ie-css'  href='http://www.mysite.com/wp-admin/css/ie.min.css?ver=3.8.1' type='text/css' media='all' />

<![endif]-->

<meta name='robots' content='noindex,follow' />

<script type="text/javascript">

addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}};

function s(id,pos){g(id).left=pos+'px';}

function g(id){return document.getElementById(id).style;}

function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}}

addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);});

</script>

  </head>

  <body class="login login-action-login wp-core-ui">

  <div id="login">

  <h1><a href="http://wordpress.org/" title="Powered by WordPress">mysite www</a></h1>

  <div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br />

</div>

<form name="loginform" id="loginform" action="http://www.mysite.com/login/" method="post">

  <p>

  <label for="user_login">Username<br />

  <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>

  </p>

  <p>

  <label for="user_pass">Password<br />

  <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>

  </p>

  <p class="cptch_block"><br /> <input type="hidden" name="cptch_result" value="hIE=" />

  <input type="hidden" name="cptch_time" value="1393919042" />

  <input type="hidden" value="Version: 2.4" />

  1 &#43; on&#101; =  <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p>

  <br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever"  /> Remember Me</label></p>

  <p class="submit">

  <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" />

  <input type="hidden" name="redirect_to" value="http://www.mysite.com/wp-admin/" />

  <input type="hidden" name="testcookie" value="1" />

  </p>

</form>

<p id="nav">

  <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password?</a>

</p>

<script type="text/javascript">

function wp_attempt_focus(){

setTimeout( function(){ try{

d = document.getElementById('user_login');

if( d.value != '' )

d.value = '';

d.focus();

d.select();

} catch(e){}

}, 200);

}

if(typeof wpOnload=='function')wpOnload();

</script>

  <p id="backtoblog"><a href="http://www.mysite.com/" title="Are you lost?">&larr; Back to mysite www</a></p>

  </div>

  <div class="clear"></div>

  </body>

  </html>

L5 Sessionator

Hello,

I'd recommend create a rule in vulnerability protection object with category set to brute-force and action set to drop-all-packets.

Hope this helps.

Regards,

Hari Yadavalli

L7 Applicator

Please also consider posting this question in the DevCenter community:

DevCenter

This community is for users to share custom content such as custom signatures, scripts etc. Participants in DevCenter may be able to shed more light on what additional tuning may be needed to your custom signature (which context, what pattern etc) to match the stream in question.

Thanks for the suggestion @goku123 ! I just posted it to the DevCenter as well. I will take all the help I can get with this one. I know the device must be capable of this, I'm just too inexperienced with it to know how to do it at this point.

  • 3540 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!