Time between attack and detection

[faris]

How long does should it be between the time a brute force wordpress attack begins and ossec takes action?

I'm watching the logs at the moment and there's an attack on a particular site which began -- well, I can't easily tell but way longer than 20 minutes ago - with no shunning happening.

The access_log for domain.tld looks like this (and goes on "forever"):

Code: Select all

50.17.243.253 - - [26/Jan/2015:12:06:29 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:30 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:30 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:31 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:31 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:32 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:33 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:33 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:34 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:34 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:35 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:35 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:36 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:36 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:37 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"
50.17.243.253 - - [26/Jan/2015:12:06:37 +0000] "POST /wp-login.php HTTP/1.0" 403 2182 "-" "-"

Confusingly, in the ASL GUI, although there are log events that say the following for this IP for the same timeframe....

Code: Select all

 HTTP 403 Forbidden. This is not a WAF event, the web server has refused to complete the transaction 

... they are for an alias of this domain, which has no logfile as there is no /var/www/alias.tld/statistics/access_log or error_log

Back to domain.tld, the error_log shows this:

Code: Select all

[Mon Jan 26 11:41:14 2015] [error] [client 50.17.243.253] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYn2Vw-goIAADbVg5UAAAAT"]
[Mon Jan 26 11:56:16 2015] [error] [client 50.17.243.253] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYFw-goIAAFF@1xkAAAAC"]
[Mon Jan 26 11:56:16 2015] [error] [client 50.17.243.253] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYFw-goIAAFOzMKcAAAAF"]
[Mon Jan 26 11:56:17 2015] [error] [client 50.17.243.253] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYVw-goIAAFRBUq8AAAAH"]
[Mon Jan 26 11:56:17 2015] [error] [client 50.17.243.253] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.alias.tld"] [uri "/wp-login.php"] [unique_id "VMYrYVw-goIAAFQ9TqgAAAAD"]
[Mon Jan 26 11:58:14 2015] [error] [client 93.54.82.15] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr1lw-goIAAFbFLC4AAAAB"]
[Mon Jan 26 11:58:15 2015] [error] [client 78.5.200.146] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr11w-goIAAFXJD7EAAAAO"]
[Mon Jan 26 11:58:20 2015] [error] [client 93.61.77.214] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr3Fw-goIAAFWcBZEAAAAI"]
[Mon Jan 26 11:58:23 2015] [error] [client 62.94.198.178] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr3lw-goIAAFfJQf0AAAAD"]
[Mon Jan 26 11:58:24 2015] [error] [client 78.7.113.246] ModSecurity:  [file "/etc/httpd/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "www.domain.tld"] [uri "/wp-login.php"] [unique_id "VMYr31w-goIAAFWWgf4AAAAE"]

Note the timestamps -- the attacking IP was seen...

But no events since 11:58:24 are logged.

So I'm really quite confused.

[mikeshinn]

You'll find the limits for each range defined in this file:

/var/ossec/etc/rules.d/60_asl_brute_force.xml

They are:

8 failures in 10 seconds

10 failures in 60 seconds

10 failures in 900 seconds

Note: frequency is X+2.

[faris]

So it should have picked this up. I note that the attacker is getting 403s not 200s or 404s. The IP is just not getting shunned.

Hmmm.. Not sure where to look next. ASL is getting so smart it is confusing me these days

[mikeshinn]

So it should have picked this up. I note that the attacker is getting 403s not 200s or 404s. The IP is just not getting shunned.

Maybe, if WP is sending 403s then something else is going on. WP sends a 200 no matter what if an authentication fails, or succeeds. So if a 403 is being sent, something else is sending that 403. The modsec rules never change the status code for authentication failures, so its not the rules. You'll want to find out why that site is sending 403s, my guess is thats why its not getting shunned because something else is going on with that site.

[faris]

Ah! Interesting. I will investigate. Thanks.

[mikeshinn]

Check to see if its a local modification too, some people have been asking WP to change the status code from 200 to 403, also see if mod_evasive is blocking these requests due to their speed.

[faris]

Ah, now mod_evasive is possible, isn't it? It used to email me when it triggered though. I don't recall if that was something I arranged or if it happened as standard. I'll dig deeper.