[Bro] Detect failed HTTPS logins and get the source IP?

Liam Randall liam.randall at gmail.com
Wed Apr 1 08:30:42 PDT 2015


Hey Joey,

There are endless derivations you can do of this, however here's an
approach assuming you are speaking of http basic authorization:

https://github.com/criticalstack/bro-scripts/blob/master/http-basic-auth-bruteforcing/detect-http-basic-auth-bruteforcer.bro

I noted a number of derivations of the script in the comments at the top to
give you some thoughts.

Have you looked at the characteristics of the attacking hosts?  Are they
members of a specific botnet?

V/r,

Liam Randall


On Wed, Apr 1, 2015 at 10:52 AM, Barkley, Joey <
Joey.Barkley at ingramcontent.com> wrote:

> All,
>
> Our organization recently began to experience an attack where they are
> trying to log into a 3rd party web application that we have exposed
> externally. They appear to be using a bonnet that is spread across the
> globe, so our efforts to block country segments are only marginally
> effective. The real issue is that the application does not provide source
> IP addresses in the logs for the failed login attempts because it is being
> served up through nginx.
>
> We are just now starting to dabble with Bro, but still have very little
> ‘real world’ experience with writing our own scripts. Has anyone written a
> script that might give us a little help in this direction? We need to be
> able to track a session (login request), wait for a failure to return
> through, and then apply a threshold. So for example, I want to log an
> “alert” (sorry, forget what the terminology is in Bro) if an IP address
> fails login n times in x seconds. We will then use that log to block that
> IP address for a period of time.
>
> Is this something that Bro can do, and if so, where do I start? Any
> guidance would be greatly appreciated.
>
> Thanks,
> Joey
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150401/07f79a16/attachment.html 


More information about the Bro mailing list