Improvement on wordpress bruteforce scenario

[LtSich]

I have made some change on the WP BrufteForce scenario to avoid blocking on reset pass or lost password. The leakspeed is increased, the default scenario don't detect a lot of attack. And this scenario detect access on the xmlrpc file too. Take care if you use xmlrpc to whitelist the IP or to not use this one.

type: leaky
name: si/http-bf-wordpress_bf-custom
description: "detect wordpress bruteforce"
debug: false
# failed auth on wp-login.php with POST and no try to reset passs
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name in ['wp-login.php','xmlrpc.php'] && evt.Parsed.verb == 'POST' && evt.Parsed.http_args not in ['action=lostpassword','action=resetpass']"
groupby: evt.Meta.source_ip
capacity: 3
leakspeed: "300s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true