This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Custom Vulnerability Object to detect Failed WordPress Logins

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom Vulnerability Object to detect Failed WordPress Logins

SimonBlackler
L1 Bithead

‎07-31-2014 05:19 AM

I'm trying to stem the flood of wordpress brute force attacks coming into our network (we host a lot of WP sites).

Detecting WP logins is relatively easy, by setting up a signature that looks for the regex wp\-login\.php in the http-req-uri-path context with the http-method = POST qualifier. I can now see all of the wp-login requests coming into our network.

However, detecting a failed WP means also detecting the 200 response code from the web server (WordPress issues a 302 redirect upon sucessful login, a 200 upon failure).

I have tried adding an extra AND condition to my signature which checks for http-rsp-code = 200 but it doesn't trigger. So...

Custom Vuln Signature:

Severity : Informational

Default Action : Alert

Direction : client2server

Affected System : server

Signature (Standard)

Scope : Transaction

Ordered Condition Match

Condition 1 : pattern-match http-req-uri-path ~= wp\-login\.php

Condition 2 : equal-to http-rsp-code == 200

Why is this failing to work? Without Condition 2 it shows up all wp logins, but with Condition 2 it sees nothing. Help 🙂

0 Likes Likes
9 REPLIES 9

HULK
L7 Applicator

‎07-31-2014 06:51 PM

Hello Simonblackler,

Could you please post your query to DEVCENTER, they might help you for your custom signature.

Thanks

HITSSEC
L4 Transporter

‎07-31-2014 07:14 PM

Simon,

We control wordpress logins in the following manner:

force your web content management staff us only access the Wordpress login page from on the network (internal zone) and if they require it from of the network then require them to use a vpn solution.   This then means that any wordpress login request from the internet is not desirable and can be blocked with the signature that just identifies the incoming request from the internet.  We have been doing this for over a year now with a lot of success.

Phil

SimonBlackler
L1 Bithead
In response to HITSSEC

‎08-01-2014 07:00 AM

Thanks Phil, unfortunately this won't work - we are a web host and host thousands of wp sites - we need to block/reset incoming connections from external/public IP addresses that repeatedly fail to log into WP correctly.

0 Likes Likes

pulukas
L7 Applicator

‎08-01-2014 04:14 PM

The signature does look correct for the response code 200.  Can you do a packet capture on a failed login and confirm what the data looks like in the response?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks