How to Block HTTP Brute Force with Snort
I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 20 times within 10 seconds (I believe it is a ratio – average of 2 times per second).
alert tcp any any -> X.X.X.X 80 ( content: “POSTâ€; depth: 4; nocase; msg: “Webmail Brute Force Attempt or Spam Attackâ€; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; sid:123456789; rev:1; fwsam: src, 10 minutes;)
HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;†if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.
Latest posts by Editor (see all)
- How to Show files by size, biggest last- Linux Commands - January 21, 2011
- How to test for unreadable blocks on disk- Linux Commands - January 21, 2011
- How to Do a read speed test on disk sda – Linux Commands - January 21, 2011