[Bro] Scripting question concerning web brute force attacks
Duba, Andrew
andrew_duba at wustl.edu
Tue Sep 20 09:37:20 PDT 2016
Back from Brocon and am stoked about writing my first script! So I'm interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks. I took a look at some bro samples came up with the code that is below. I planned on using a http_request event handler to check for requests to login pages and increment a counter. Question is how do I this by the origin and destination ip addresses (I.e. If xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from being counted by the same counter?)
P.S. Sorry in advance if this is the wrong forum to ask for coding advice.
@load base/protocols/http
@load base/protocols/ssl
module HTTP;
export {
redef enum Notice::Type += {
Drupal_Password_Attack,
Joomla_Password_Attack,
Wordpress_Password_Attack
};
.
.
.
event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=5)
{
if(/wp-login\.php/ in original_URI)
{
## TODO: If we get here increment a counter of visits for this particular ip address
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/f0554615/attachment.html
More information about the Bro
mailing list