[Bro] Detect failed HTTPS logins and get the source IP?

[Barkley, Joey]

All,

Our organization recently began to experience an attack where they are trying to log into a 3rd party web application that we have exposed externally. They appear to be using a bonnet that is spread across the globe, so our efforts to block country segments are only marginally effective. The real issue is that the application does not provide source IP addresses in the logs for the failed login attempts because it is being served up through nginx.

We are just now starting to dabble with Bro, but still have very little ‘real world’ experience with writing our own scripts. Has anyone written a script that might give us a little help in this direction? We need to be able to track a session (login request), wait for a failure to return through, and then apply a threshold. So for example, I want to log an “alert” (sorry, forget what the terminology is in Bro) if an IP address fails login n times in x seconds. We will then use that log to block that IP address for a period of time.

Is this something that Bro can do, and if so, where do I start? Any guidance would be greatly appreciated.

Thanks,
Joey