I got this wordpress login bruteforcing rule from https://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-web_server.rules
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;)
When I change it from 'alert' to 'reject', I am not able to login. (It says connection is reset) I don't quite understand what the rule means. (what I understand is when logging, it looks for log or 3d in post/get method. Look for client_body pwd 3d. attempted-recon means, it's someone "probing" the server)
Only one user is able to login to wordpress, when the 'reject' is used. Three other users has "ERR_CONNECTION_RESET" in Chrome.
Update for extra info
The following rules are working fine and they don't prevent users to login:
http://blog.inliniac.net/2007/03/20/new-wordpress-issue-modsecurity-rule/
reject tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WORDPRESS wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?://iU"; classtype:web-application-attack; sid:4000003; rev:1;)
http://seclists.org/snort/2014/q3/856
reject tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Wordpress Brute Force Login"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/wp-login.php"; nocase; content:!"wp-submit"; nocase; classtype:web-application-attack; sid:90000100; rev:1;)
The server is running within university network and staff tried to login within the network and blocked. I tried to login and blocked as well. So will that be the rule's problem?
