About itmgr

itmgr · ‎03-04-2014

Thanks for the suggestion @goku123 ! I just posted it to the DevCenter as well. I will take all the help I can get with this one. I know the device must be capable of this, I'm just too inexperienced with it to know how to do it at this point.

itmgr · ‎03-04-2014

Hi, I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this. I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange. Thanks! POST /login/ HTTP/1.1 Host: www.mysite.com Connection: keep-alive Content-Length: 164 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://www.mysite.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.mysite.com/login/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK Date: Tue, 04 Mar 2014 07:44:02 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/ X-Frame-Options: SAMEORIGIN Content-Length: 4373 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html>   <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US">  <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>mysite www &rsaquo; Log In</title> <link rel='stylesheet' id='open-sans-css' href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.8.1' type='text/css' media='all' /> <link rel='stylesheet' id='dashicons-css' href='http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1' type='text/css' media='all' /> <link rel='stylesheet' id='wp-admin-css' href='http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1' type='text/css' media='all' /> <link rel='stylesheet' id='buttons-css' href='http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1' type='text/css' media='all' /> <link rel='stylesheet' id='colors-fresh-css' href='http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1' type='text/css' media='all' />  <meta name='robots' content='noindex,follow' /> <script type="text/javascript"> addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; function s(id,pos){g(id).left=pos+'px';} function g(id){return document.getElementById(id).style;} function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}} addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);}); </script> </head> <body class="login login-action-login wp-core-ui"> <div id="login"> <h1><a href="http://wordpress.org/" title="Powered by WordPress">mysite www</a></h1> <div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password</a>?<br /> </div> <form name="loginform" id="loginform" action="http://www.mysite.com/login/" method="post"> <p> <label for="user_login">Username<br /> <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label> </p> <p> <label for="user_pass">Password<br /> <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label> </p> <p class="cptch_block"><br /> <input type="hidden" name="cptch_result" value="hIE=" /> <input type="hidden" name="cptch_time" value="1393919042" /> <input type="hidden" value="Version: 2.4" /> 1 + one = <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p> <br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p> <p class="submit"> <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" /> <input type="hidden" name="redirect_to" value="http://www.mysite.com/wp-admin/" /> <input type="hidden" name="testcookie" value="1" /> </p> </form> <p id="nav"> <a href="http://www.mysite.com/login/?action=lostpassword" title="Password Lost and Found">Lost your password?</a> </p> <script type="text/javascript"> function wp_attempt_focus(){ setTimeout( function(){ try{ d = document.getElementById('user_login'); if( d.value != '' ) d.value = ''; d.focus(); d.select(); } catch(e){} }, 200); } if(typeof wpOnload=='function')wpOnload(); </script> <p id="backtoblog"><a href="http://www.mysite.com/" title="Are you lost?">← Back to mysite www</a></p> </div> <div class="clear"></div> </body> </html>

itmgr · ‎03-04-2014

I did take a pcap of the exchange between client and server. I see the text in the pcap, but still not sure which context to use to search for the string. The client sends an http POST to wp-login.php, and then the server issues an http 200 response and then the "Invalid username" text comes a few packets later. Below is the TCP stream from the pcap that contains the "Invalid username" text. I've tried the http_rsp_headers and file_html_body contexts, but still unable to match the text in the exchange. POST /login/ HTTP/1.1 Host: www.mysite.com Connection: keep-alive Content-Length: 164 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://www.mysite.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://www.mysite.com/login/ Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: wlp_post_protection=1; PHPSESSID=gh0pdah82shb6les906pc5n4u7; __utma=74238163.586482511.1393824836.1393824836.1393824836.1; __utmc=74238163; __utmz=74238163.1393824836.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=217530694.1368975606.1393822044.1393822044.1393886113.2; __utmc=217530694; __utmz=217530694.1393822044.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wfvt_345498598=531583af83045; wordpress_test_cookie=WP+Cookie+check log=ed&pwd=ed&cptch_result=87Q%3D&cptch_time=1393918888&cptch_number=6&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.mysite.com%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK Date: Tue, 04 Mar 2014 07:44:02 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-Cookie: wfvt_345498598=5315844284ba8; expires=Tue, 04-Mar-2014 08:14:02 GMT; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: wordpress_test_cookie=WP+Cookie+check; path=/ X-Frame-Options: SAMEORIGIN Content-Length: 4373 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html>   <html xmlns=" http://www.w3.org/1999/xhtml " lang="en-US">  <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>mysite www &rsaquo; Log In</title> <link rel='stylesheet' id='open-sans-css' href='//fonts.googleapis.com/css?family=Open+Sans%3A300italic%2C400italic%2C600italic%2C300%2C400%2C600&subset=latin%2Clatin-ext&ver=3.8.1' type='text/css' media='all' /> <link rel='stylesheet' id='dashicons-css' href=' http://www.mysite.com/wp-includes/css/dashicons.min.css?ver=3.8.1 ' type='text/css' media='all' /> <link rel='stylesheet' id='wp-admin-css' href=' http://www.mysite.com/wp-admin/css/wp-admin.min.css?ver=3.8.1 ' type='text/css' media='all' /> <link rel='stylesheet' id='buttons-css' href=' http://www.mysite.com/wp-includes/css/buttons.min.css?ver=3.8.1 ' type='text/css' media='all' /> <link rel='stylesheet' id='colors-fresh-css' href=' http://www.mysite.com/wp-admin/css/colors.min.css?ver=3.8.1 ' type='text/css' media='all' />  <meta name='robots' content='noindex,follow' /> <script type="text/javascript"> addLoadEvent = function(func){if(typeof jQuery!="undefined")jQuery(document).ready(func);else if(typeof wpOnload!='function'){wpOnload=func;}else{var oldonload=wpOnload;wpOnload=function(){oldonload();func();}}}; function s(id,pos){g(id).left=pos+'px';} function g(id){return document.getElementById(id).style;} function shake(id,a,d){c=a.shift();s(id,c);if(a.length>0){setTimeout(function(){shake(id,a,d);},d);}else{try{g(id).position='static';wp_attempt_focus();}catch(e){}}} addLoadEvent(function(){ var p=new Array(15,30,15,0,-15,-30,-15,0);p=p.concat(p.concat(p));var i=document.forms[0].id;g(i).position='relative';shake(i,p,20);}); </script> </head> <body class="login login-action-login wp-core-ui"> <div id="login"> <h1><a href=" http://wordpress.org/ " title="Powered by WordPress">mysite www</a></h1> <div id="login_error"> <strong>ERROR</strong>: Invalid username. <a href=" http://www.mysite.com/login/?action=lostpassword " title="Password Lost and Found">Lost your password</a>?<br /> </div> <form name="loginform" id="loginform" action=" http://www.mysite.com/login/ " method="post"> <p> <label for="user_login">Username<br /> <input type="text" name="log" id="user_login" class="input" value="" size="20" /></label> </p> <p> <label for="user_pass">Password<br /> <input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label> </p> <p class="cptch_block"><br /> <input type="hidden" name="cptch_result" value="hIE=" /> <input type="hidden" name="cptch_time" value="1393919042" /> <input type="hidden" value="Version: 2.4" /> 1 + one = <input id="cptch_input" type="text" autocomplete="off" name="cptch_number" value="" maxlength="2" size="2" aria-required="true" required="required" style="margin-bottom:0;display:inline;font-size: 12px;width: 40px;" /> </p> <br /> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever" /> Remember Me</label></p> <p class="submit"> <input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" /> <input type="hidden" name="redirect_to" value=" http://www.mysite.com/wp-admin/ " /> <input type="hidden" name="testcookie" value="1" /> </p> </form> <p id="nav"> <a href=" http://www.mysite.com/login/?action=lostpassword " title="Password Lost and Found">Lost your password?</a> </p> <script type="text/javascript"> function wp_attempt_focus(){ setTimeout( function(){ try{ d = document.getElementById('user_login'); if( d.value != '' ) d.value = ''; d.focus(); d.select(); } catch(e){} }, 200); } if(typeof wpOnload=='function')wpOnload(); </script> <p id="backtoblog"><a href=" http://www.mysite.com/ " title="Are you lost?">← Back to mysite www</a></p> </div> <div class="clear"></div> </body> </html>

itmgr · ‎03-03-2014

Hi, I'm new to Palo Alto and custom threat signatures. I'm trying to detect invalid login attempts to a web site and apply a time rate. When the user enters an invalid username in the login, the site returns the text "invalid username". Which context would I use to search for this pattern match? I read the "Creating Custom Signatures" document, but it created more questions and I can't seem to find any deeper documentation. By using that document, I was able to use the wordpress brute force combination signature they included (monitoring http POST to wp-login.php), but I have some users that trip those thresholds often because they log into many blogs simultaneously on one server. I'm looking for something a little more granular (not just login attempts (good or bad), but bad attempts based on the site returning the text "bad password", or "invalid username". Is this possible? I don't mind reading more documentation regarding custom signatures if it's available, I've just not seen any other documents yet that give an example like this. Thanks!

Member Since	‎02-10-2014 11:25 PM
Date Last Visited	‎08-18-2015 09:07 AM
Posts	4
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎08-18-2015 09:07 AM

About itmgr

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

How would I create a custom threat signature that looks for a server's "invalid username" response to a failed login attempt?

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

How would I create a custom threat signature that looks for a server's "invalid username" response to a failed login attempt?

Re: Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)

Custom signature needed to detect "invalid username" response to a brute force login attempt (is it possible?)