[Bro] Scripting question concerning web brute force attacks

[Azoff, Justin S]

> On Sep 20, 2016, at 12:37 PM, Duba, Andrew <andrew_duba at wustl.edu> wrote:
> 
> Back from Brocon and am stoked about writing my first script!  So I’m interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks.  I took a look at some bro samples came up with the code that is below.  I planned on using a http_request event handler to check for requests to login pages and increment a counter.  Question is how do I this by the origin and destination ip addresses (I.e. If xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy from being counted by the same counter?)
> 
> P.S. Sorry in advance if this is the wrong forum to ask for coding advice.

I would take a look at scripts/policy/protocols/http/detect-sqli.bro

it's a bit verbose but does basically the same thing you are looking for (it's 2x as big though because it tracks attackers and victims separately, so you'd still notice a distributed attack against a single victim)




-- 
- Justin Azoff