Skip to content

Instantly share code, notes, and snippets.

@p0pr0ck5

p0pr0ck5/gist:02687caa5ac0af80d6d4

Created July 27, 2015 20:13
Show Gist options
  • Save p0pr0ck5/02687caa5ac0af80d6d4 to your computer and use it in GitHub Desktop.
Save p0pr0ck5/02687caa5ac0af80d6d4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
{
"transaction" : {
"transaction_id" : "VbJ9aH8AAQEAAHN3OTcAAABA",
"time" : "24/Jul/2015:11:01:12 --0700",
"remote_port" : 34094,
"local_address" : "127.0.0.1",
"local_port" : 80,
"remote_address" : "127.0.0.1"
},
"request" : {
"headers" : {
"User-Agent" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Accept" : "*/*",
"Host" : "localhost"
},
"request_line" : "POST /wp-login.php HTTP/1.1"
},
"response" : {
"protocol" : "HTTP/1.1",
"status" : 403,
"headers" : {
"Content-Type" : "text/html; charset=iso-8859-1",
"Content-Length" : "288"
}
},
"audit_data" : {
"engine_mode" : "ENABLED",
"server" : "Apache/2.4.7 (Ubuntu)",
"stopwatch" : {
"sr" : 0,
"sw" : 0,
"p5" : 20,
"p1" : 300,
"p3" : 0,
"p4" : 0,
"p2" : 0,
"gc" : 0,
"l" : 0
},
"producer" : "ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/)",
"action" : {
"message" : "String match \"POST\" at REQUEST_METHOD.",
"phase" : 1,
"intercepted" : true
}
},
"matched_rules" : [
{
"rules" : [
{
"actionset" : {
"id" : "12345",
"is_chained" : true,
"chain_starter" : true,
"tags" : [
"BRUTEFORCE/WORDPRESS"
],
"phase" : 1
},
"config" : {
"line_num" : 221,
"filename" : "/etc/modsecurity/modsecurity.conf"
},
"is_matched" : true,
"unparsed" : "SecRule \"REQUEST_URI\" \"@streq /wp-login.php\" \"phase:1,auditlog,chain,nolog,id:12345,deny,tag:BRUTEFORCE/WORDPRESS+1\"",
"operator" : {
"operator" : "streq",
"operator_param" : "/wp-login.php",
"target" : "REQUEST_URI",
"negated" : false
}
},
{
"actionset" : {
"is_chained" : true,
"phase" : 1,
"tags" : [
"BOTNET"
]
},
"is_matched" : true,
"unparsed" : "SecRule \"REQUEST_HEADERS:User-Agent\" \"@streq Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\" \"chain\"",
"config" : {
"filename" : "/etc/modsecurity/modsecurity.conf",
"line_num" : 222
},
"operator" : {
"negated" : false,
"target" : "REQUEST_HEADERS:User-Agent",
"operator" : "streq",
"operator_param" : "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
}
},
{
"operator" : {
"negated" : false,
"target" : "REQUEST_METHOD",
"operator_param" : "POST",
"operator" : "streq"
},
"actionset" : {
"phase" : 1,
"is_chained" : false
},
"config" : {
"line_num" : 223,
"filename" : "/etc/modsecurity/modsecurity.conf"
},
"is_matched" : true,
"unparsed" : "SecRule \"REQUEST_METHOD\" \"@streq POST\""
}
],
"chain" : true,
"full_chain_match" : true
}
]
}
@p0pr0ck5
Copy link
Author

Generated with the following rules:

#fake googlebot wp-login brute (https://www.cryptobells.com/fake-googlebot-wordpress-login-bruteforce/)

 SecRule REQUEST_URI "@streq /wp-login.php" "chain,phase:1,nolog,id:12345,deny,tag:BRUTEFORCE/WORDPRESS"

 SecRule REQUEST_HEADERS:User-Agent "@streq Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "chain,tag:BOTNET"

 SecRule REQUEST_METHOD "@streq POST"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment