alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46?"; fast_pattern:15,14; http_header; threshold: type threshold, track by_src, count 5, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9;)

Added 2012-01-18 18:00:56 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46?"; http_header; threshold: type threshold, track by_src, count 30, seconds 30; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:7;)

Added 2011-10-12 19:25:10 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46?"; http_header; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008453; sid:2008453; rev:7;)

Added 2011-09-14 22:38:37 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization|3a| Basic YWRtaW46?"; http_header; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute; sid:2008453; rev:7;)

Added 2011-02-04 17:27:38 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute; sid:2008453; rev:3;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2008453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Tomcat_Brute; sid:2008453; rev:3;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 30, seconds 30; classtype:web-application-attack; sid:2008453; rev:2;)

Added 2008-08-14 08:30:21 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"ET SCAN Tomcat Auth Brute Force attempt (admin)"; flow:to_server,established; content:"Authorization\: Basic YWRtaW46?"; threshold: type threshold, track by_src, count 3, seconds 30; classtype:web-application-attack; sid:2008453; rev:1;)

Added 2008-07-22 10:00:21 UTC

I am seeing what appear to be false +ves -- from looking at the pcaps they are accessing a site that requires auth and has lots of small elements on the page so the threshold is reached repeatedly. I can't see any evidence of brute force attempt.

-- RussellFulton - 14 Aug 2008

A higher threshold you're thinking? Maybe 30 in 30 seconds?

-- MattJonkman - 14 Aug 2008


Topic revision: r3 - 2008-08-14 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats