Detect failed HTTPS logins and get the source IP?

All,

Our organization recently began to experience an attack where they are trying to log into a 3rd party web application that we have exposed externally. They appear to be using a bonnet that is spread across the globe, so our efforts to block country segments are only marginally effective. The real issue is that the application does not provide source IP addresses in the logs for the failed login attempts because it is being served up through nginx.

We are just now starting to dabble with Bro, but still have very little ‘real world’ experience with writing our own scripts. Has anyone written a script that might give us a little help in this direction? We need to be able to track a session (login request), wait for a failure to return through, and then apply a threshold. So for example, I want to log an “alert” (sorry, forget what the terminology is in Bro) if an IP address fails login n times in x seconds. We will then use that log to block that IP address for a period of time.

Is this something that Bro can do, and if so, where do I start? Any guidance would be greatly appreciated.

Thanks,
Joey

Hey Joey,

There are endless derivations you can do of this, however here’s an approach assuming you are speaking of http basic authorization:

https://github.com/criticalstack/bro-scripts/blob/master/http-basic-auth-bruteforcing/detect-http-basic-auth-bruteforcer.bro

I noted a number of derivations of the script in the comments at the top to give you some thoughts.

Have you looked at the characteristics of the attacking hosts? Are they members of a specific botnet?

V/r,

Liam Randall