Scripting question concerning web brute force attacks

Back from Brocon and am stoked about writing my first script! So I’m interested in detecting multiple visits to login pages for common content managers (wordpress, joomla, drupal, etc) in order to spot potential password guessing attacks. I took a look at some bro samples came up with the code that is below. I planned on using a http_request event handler to check for requests to login pages and increment a counter. Question is how do I this by the origin and destination ip addresses (I.e. If and yyy.yyy.yyy.yyy both attempt to login to the server zzz.zzz.zzz.zzz how do I prevent and yyy.yyy.yyy.yyy from being counted by the same counter?)

P.S. Sorry in advance if this is the wrong forum to ask for coding advice.

@load base/protocols/http
@load base/protocols/ssl

module HTTP;

export {
redef enum Notice::Type += {


event http_request(c: connection, method: string, original_URI: string,
unescaped_URI: string, version: string) &priority=5)
if(/wp-login.php/ in original_URI)

TODO: If we get here increment a counter of visits for this particular ip address



You could create a global table indexed by orig IP with a type of count. Then increment each IP’s count within an HTTP event. You’ll also likely want to include an expiration timer on the table’s entries.
Feel free to ask more questions!


I would take a look at scripts/policy/protocols/http/detect-sqli.bro

it's a bit verbose but does basically the same thing you are looking for (it's 2x as big though because it tracks attackers and victims separately, so you'd still notice a distributed attack against a single victim)