<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Thanks Jason,</DIV>
<DIV> </DIV>
<DIV>Btw may i know how can i enable <FONT face=Calibri><FONT
style="FONT-SIZE: 12pt">[!$SG_NET,$EXTERNAL_NET] ? That not supported on my
suricata</FONT></FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>TQ so much</FONT></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title=jwilliams@emergingthreats.net>Jason Williams</A> </DIV>
<DIV><B>Sent:</B> Thursday, August 3, 2017 5:09 AM</DIV>
<DIV><B>To:</B> <A title=admin@mesra.my>Mesra.net CEO</A> </DIV>
<DIV><B>Cc:</B> <A
title=oisf-users@lists.openinfosecfoundation.org>oisf-users@lists.openinfosecfoundation.org</A>
</DIV>
<DIV><B>Subject:</B> Re: [Oisf-users] Wordpress Brute Force
Rules</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>
<DIV>Hello,</DIV>
<DIV> </DIV>
<DIV>The issue is the inclusion of geoip, which is an IP keyword. <A
href="http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip">http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip</A></DIV>
<DIV> </DIV>
<DIV>If you define a range of IPs in the suricata.yaml as the variable SG_NET
you want to allow logins from, you could probably do something similar with the
below. </DIV>
<DIV> </DIV>
<DIV>drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute
Force Login"; flow:to_server,established; content:"POST"; http_method;
content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>Jason</DIV>
<DIV> </DIV></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <SPAN
dir=ltr><<A target=_blank>admin@mesra.my</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Dear All,</DIV>
<DIV> </DIV>
<DIV>I try to make a rule to drop any of access out of Singapore on
wplogin.php, and this is the rule:<BR></DIV>
<DIV>drop tcp <FONT face="Times New Roman"><SPAN
class=m_382500437436174057crayon-sy><FONT
style="FONT-SIZE: 12pt">$</FONT></SPAN><FONT style="FONT-SIZE: 12pt"><SPAN
class=m_382500437436174057crayon-e>EXTERNAL_NET </SPAN></FONT></FONT>any ->
any $HTTP_PORTS (msg:"WORDPRESS Brute Force Login";
flow:to_server,established;<WBR>content:"POST"; nocase; http_method;
uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)</DIV>
<DIV> </DIV>
<DIV>But i have an error:</DIV>
<DIV> </DIV>
<DIV>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
specific matches (like dsize, flags, ttl) with stream / state matching by
matching on app layer proto (like using http_* keywords).</DIV>
<DIV> </DIV>
<DIV>What i’m doing wrong, please help and thank you so much</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV></DIV><BR>______________________________<WBR>_________________<BR>Suricata
IDS Users mailing list:
<A>oisf-users@<WBR>openinfosecfoundation.org</A><BR>Site: <A
href="http://suricata-ids.org" rel=noreferrer
target=_blank>http://suricata-ids.org</A> | Support: <A
href="http://suricata-ids.org/support/" rel=noreferrer
target=_blank>http://suricata-ids.org/<WBR>support/</A><BR>List: <A
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel=noreferrer
target=_blank>https://lists.<WBR>openinfosecfoundation.org/<WBR>mailman/listinfo/oisf-users</A><BR><BR>Conference:
<A href="https://suricon.net" rel=noreferrer
target=_blank>https://suricon.net</A><BR>Trainings: <A
href="https://suricata-ids.org/training/" rel=noreferrer
target=_blank>https://suricata-ids.org/<WBR>training/</A><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></BODY></HTML>