alert http any any -> any any (msg:"ET POLICY Cleartext WordPress? Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_05_25, updated_at 2016_07_01;)

Added 2017-08-07 21:06:02 UTC


alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress? Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:2;)

Added 2011-10-12 19:35:21 UTC

this rule is useless as there are a lot of false positives of legitimate WP users who simply do not type their password right the first time, I would suggest adding a count and time reference to it in order to be useful, what do you guys think?

-- JohnNaggets - 2016-04-01


alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress? Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:2;)

Added 2011-05-25 19:28:47 UTC


Topic revision: r2 - 2016-04-01 - JohnNaggets
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats