[Bro] Scripting question concerning web brute force attacks

Tue Sep 20 09:53:00 PDT 2016

You could create a global table indexed by orig IP with a type of count.
Then increment each IP's count within an HTTP event. You'll also likely
want to include an expiration timer on the table's entries.
Feel free to ask more questions!

-AK

On Sep 20, 2016 12:40 PM, "Duba, Andrew" <andrew_duba at wustl.edu> wrote:

> Back from Brocon and am stoked about writing my first script!  So I’m
> interested in detecting multiple visits to login pages for common content
> managers (wordpress, joomla, drupal, etc) in order to spot potential
> password guessing attacks.  I took a look at some bro samples came up with
> the code that is below.  I planned on using a http_request event handler to
> check for requests to login pages and increment a counter.  Question is how
> do I this by the origin and destination ip addresses (I.e. If
> xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server
> zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from
> being counted by the same counter?)
>
> P.S. Sorry in advance if this is the wrong forum to ask for coding advice.
>
> @load base/protocols/http
> @load base/protocols/ssl
>
> module HTTP;
>
> export {
> redef enum Notice::Type += {
> Drupal_Password_Attack,
> Joomla_Password_Attack,
> Wordpress_Password_Attack
> };
> .
> .
> .
> event http_request(c: connection, method: string, original_URI: string,
>                    unescaped_URI: string, version: string) &priority=5)
> {
> if(/wp-login\.php/ in original_URI)
> {
> ## TODO:  If we get here increment a counter of visits for this particular
> ip address
>
> }
>
> }
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160920/fb4c047d/attachment.html 