[Bro] Scripting question concerning web brute force attacks

Duba, Andrew andrew_duba at wustl.edu
Tue Sep 20 09:37:20 PDT 2016


Back from Brocon and am stoked about writing my first script!  So I'm interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks.  I took a look at some bro samples came up with the code that is below.  I planned on using a http_request event handler to check for requests to login pages and increment a counter.  Question is how do I this by the origin and destination ip addresses (I.e. If xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from being counted by the same counter?)

P.S. Sorry in advance if this is the wrong forum to ask for coding advice.

@load base/protocols/http
@load base/protocols/ssl

module HTTP;

export {
redef enum Notice::Type += {
Drupal_Password_Attack,
Joomla_Password_Attack,
Wordpress_Password_Attack
};
.
.
.
event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5)
{
if(/wp-login\.php/ in original_URI)
{
## TODO:  If we get here increment a counter of visits for this particular ip address

}

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/f0554615/attachment.html 


More information about the Bro mailing list