alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress? Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:2;)

Added 2011-10-12 19:35:21 UTC

this rule is useless as there are a lot of false positives of legitimate WP users who simply do not type their password right the first time, I would suggest adding a count and time reference to it in order to be useful, what do you guys think?

-- JohnNaggets - 2016-04-01


alert tcp any any -> any $HTTP_PORTS (msg:"ET POLICY Cleartext WordPress? Login"; flow:established,to_server; content:"log="; http_client_body; content:"&pwd="; http_client_body; content:"&wp-submit="; http_client_body; classtype:policy-violation; sid:2012843; rev:2;)

Added 2011-05-25 19:28:47 UTC


Topic revision: r2 - 2016-04-01 - JohnNaggets
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats