EditAttachPrintable
r3 - 14 Aug 2008 - 12:34:32 - MattJonkmanYou are here: TWiki >  Main Web > 2008453

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; sid:2008453; rev:2;)

Added 2008-08-14 08:30:21 UTC

 

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 3, seconds 30; classtype:web-application-attack; sid:2008453; rev:1;)

Added 2008-07-22 10:00:21 UTC

I am seeing what appear to be false +ves -- from looking at the pcaps they are accessing a site that requires auth and has lots of small elements on the page so the threshold is reached repeatedly. I can't see any evidence of brute force attempt.

-- RussellFulton - 14 Aug 2008

A higher threshold you're thinking? Maybe 30 in 30 seconds?

-- MattJonkman - 14 Aug 2008

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r3 < r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback