<div dir="ltr"><div>Hello,</div><div><br></div><div>The issue is the inclusion of geoip, which is an IP keyword. <a href="http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip">http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip</a></div><div><br></div><div>If you define a range of IPs in the suricata.yaml as the variable SG_NET you want to allow logins from, you could probably do something similar with the below. </div><div><br></div><div>drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute Force Login"; flow:to_server,established; content:"POST"; http_method; content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)</div><div><br></div><div>Thanks,</div><div><br></div><div>Jason</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <span dir="ltr"><<a href="mailto:admin@mesra.my" target="_blank">admin@mesra.my</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:10pt;FONT-FAMILY:'Arial';COLOR:#000000">
<div>Dear All,</div>
<div> </div>
<div>I try to make a rule to drop any of access out of Singapore on wplogin.php, 
and this is the rule:<br></div>
<div>drop tcp <font face="Times New Roman"><span class="m_382500437436174057crayon-sy"><font style="FONT-SIZE:12pt">$</font></span><font style="FONT-SIZE:12pt"><span class="m_382500437436174057crayon-e">EXTERNAL_NET </span></font></font>any -> any $HTTP_PORTS 
(msg:"WORDPRESS Brute Force Login"; flow:to_server,established;<wbr>content:"POST"; 
nocase; http_method; uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; 
rev:1;)</div>
<div> </div>
<div>But i have an error:</div>
<div> </div>
<div>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet 
specific matches (like dsize, flags, ttl) with stream / state matching by 
matching on app layer proto (like using http_* keywords).</div>
<div> </div>
<div>What i’m doing wrong, please help and thank you so much</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div></div></div></div>
<br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>