Quite often people scan for WordPress installs by checking to see if a HTTP request can be made to /xmlrpc.php. Since I do not run WordPress at all it is low hanging fruit to block the source IP that makes a HTTP request for that to my web servers. The following IDP policy rule will block the attacker for a period of 1 hour and also close the connection to the web server.
Custom Attack
This is the actual attack definition. This should be loaded in the security idp configuration tree:
custom-attack HTTP:WORDPRESS:REQUEST-XMLRPC {
recommended-action none;
severity minor;
attack-type {
signature {
context http-url-parsed;
pattern ".*/xmlrpc\.php";
direction client-to-server;
shellcode no-shellcode;
}
}
}IDP Policy Rule
To use the above custom attack it will need to be added to your IDP policy. As an example, the IDP policy I use is called Default.Policy, you can load the below configuration into the security idp idp-policy Default.Policy rulebase-ips configuration tree.
rule WordPress-XMLRPC:Block {
description "Block HTTP requests to /xmlrpc.php";
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
custom-attacks HTTP:WORDPRESS:REQUEST-XMLRPC;
}
}
then {
action {
recommended;
}
ip-action {
ip-block;
target source-address;
log;
timeout 3600;
}
notification {
log-attacks {
alert;
}
}
}
}