This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS: WEB-PHP xmlrpc.php post attempt

I have a few wordpress sites on a server behind my Astaro, and I have been having trouble connecting certain clients to them that use the XML-RPC remote publishing protocol. The IPS system was resetting the connection, citing the "WEB-PHP xmlrpc.php post attempt" as the intrusion (rule 3827). How/Why is that an intrusion? I rewrote the rule to only alert, but if it is a legitimate risk, I would rather be able to just put in an exception for one server. Is there an easy way I can view the contents of this rule?

This thread was automatically locked due to age.

0 BarryG over 15 years ago


# su -
# cd /var/chroot-snort/etc/snort/rules/
# grep 3827 *

and you'll find this, which I believe is the correct rule (googling supports this is the one):


astaro.rules[:D]rop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"D WEB-PHP xmlrpc.php post attempt"; flow:to_server,established; uricontent:"/xmlrpc.php"; fast_pattern; nocase; pcre:"/^POST\s/smi"; metadata:service http; classtype:web-application-attack; sid:2173827[;)]

Barry

0 addrockk over 15 years ago in reply to BarryG

So drop anything that tries to do a post with xmlrpc.php in the uri?
That seems broad, and this seems like a perfectly legit action, not an attack or an intrusion.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 15 years ago

And '/smi'

Barry
Cancel
Vote Up 0 Vote Down

Cancel