Re: URI_WPADMIN fp

2018-10-19 Thread John Hardin
On Fri, 19 Oct 2018, Bill Cole wrote: On 19 Oct 2018, at 9:37, Alex wrote: Hi, Should we be adding 3 points for just this, or is there never a reason users should be using /wp-admin in their URLs? The score is coming out of RuleQA, so the score is derived empirically, not by a logical proc

Re: URI_WPADMIN fp

2018-10-19 Thread John Hardin
On Fri, 19 Oct 2018, Alex wrote: Should we be adding 3 points for just this, or is there never a reason users should be using /wp-admin in their URLs? Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN ==> got hit: "/wp-admin/images/" The rule description says possible phish

KHOP_DYNAMIC

2018-10-19 Thread Joseph Brennan
KHOP_DYNAMIC hits on hostnames like mx0b-00145802.pphosted.com. Proofpoint addresses are always mail servers, not dynamic end-user lines. -- Joseph Brennan Lead, Email and Systems Applications

Re: URI_WPADMIN fp

2018-10-19 Thread Paul Stead
Great info - I think the other WP rules I co-wrote in the rules base conforms to this convention - I'll double check Paul On 19/10/2018, 20:36, "Charles Sprickman" wrote: > On Oct 19, 2018, at 10:15 AM, Paul Stead wrote: > > Can't comment on the score - hacked Wordpress sites o

Re: URI_WPADMIN fp

2018-10-19 Thread Charles Sprickman
> On Oct 19, 2018, at 10:15 AM, Paul Stead wrote: > > Can't comment on the score - hacked Wordpress sites often have bits hosted in > > * wp-admin Yes. > * wp-content Yes and no. Everything that a user uploads for their site lives under wp-content, so any rule triggering on that part of t

Re: URI_WPADMIN fp

2018-10-19 Thread Bill Cole
On 19 Oct 2018, at 9:37, Alex wrote: Hi, Should we be adding 3 points for just this, or is there never a reason users should be using /wp-admin in their URLs? The score is coming out of RuleQA, so the score is derived empirically, not by a logical process based in arbitrary axioms. That do

Re: URI_WPADMIN fp

2018-10-19 Thread Paul Stead
Can't comment on the score - hacked Wordpress sites often have bits hosted in * wp-admin * wp-content Pages within these directories are publicly accessible, but it is very unusual for a WP plugin to reference these URIs directly in outbound emails Paul On 19/10/2018, 14:38, "Alex" wrote:

URI_WPADMIN fp

2018-10-19 Thread Alex
Hi, Should we be adding 3 points for just this, or is there never a reason users should be using /wp-admin in their URLs? Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN ==> got hit: "/wp-admin/images/" The rule description says possible phishing, but how would an end-user