<div dir="ltr">You will need to create a new variable in your suricata.yaml file. <div><br></div><div>code:</div><div><br></div><div><div>##</div><div>## Step 1: inform Suricata about your network</div><div>##</div><div><br></div><div>vars:</div><div> # more specifc is better for alert accuracy and performance</div><div> address-groups:</div><div> HOME_NET: "[<a href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</a>]"</div><div> #HOME_NET: "[<a href="http://192.168.0.0/16">192.168.0.0/16</a>]"</div><div> #HOME_NET: "[<a href="http://10.0.0.0/8">10.0.0.0/8</a>]"</div><div> #HOME_NET: "[<a href="http://172.16.0.0/12">172.16.0.0/12</a>]"</div><div> #HOME_NET: "any"</div><div><br></div><div> EXTERNAL_NET: "!$HOME_NET"</div><div> #EXTERNAL_NET: "any"</div></div><div><br></div><div>You would first need to determine the subnets you want to assign to this variable. You could pull these out of the GEOIP db or use a website like <a href="http://www.nirsoft.net/countryip/sg.html">http://www.nirsoft.net/countryip/sg.html</a>. </div><div><br></div><div>You can then add a variable like so:</div><div><br></div><div><div>##</div><div>## Step 1: inform Suricata about your network</div><div>##</div><div><br></div><div>vars:</div><div> # more specifc is better for alert accuracy and performance</div><div> address-groups:</div><div> HOME_NET: "[<a href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</a>]"</div><div> <span style="background-color:rgb(255,0,255)"><font color="#f3f3f3"> <font face="arial, helvetica, sans-serif">SG_NET:"[<a href="http://1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add">1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add</a> more subnets as needed]" <------------ Add </font></font></span></div><div> #HOME_NET: "[<a href="http://192.168.0.0/16">192.168.0.0/16</a>]"</div><div> #HOME_NET: "[<a href="http://10.0.0.0/8">10.0.0.0/8</a>]"</div><div> #HOME_NET: "[<a href="http://172.16.0.0/12">172.16.0.0/12</a>]"</div><div> #HOME_NET: "any"</div><div><br></div><div> EXTERNAL_NET: "!$HOME_NET"</div><div> #EXTERNAL_NET: "any"</div></div><div><br></div><div>Thanks,</div><div><br></div><div>Jason</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <span dir="ltr"><<a href="mailto:admin@mesra.my" target="_blank">admin@mesra.my</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:10pt;FONT-FAMILY:'Arial';COLOR:#000000">
<div style="FONT-SIZE:small;TEXT-DECORATION:none;FONT-FAMILY:"Calibri";FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;DISPLAY:inline">
<div dir="ltr">
<div style="FONT-SIZE:10pt;FONT-FAMILY:'Arial';COLOR:#000000">
<div>Thanks Jason,</div>
<div> </div>
<div>Btw may i know how can i enable <font face="Calibri"><font style="FONT-SIZE:12pt">[!$SG_NET,$EXTERNAL_NET] ? That not supported on my
suricata</font></font></div>
<div><font size="3" face="Calibri"></font> </div>
<div><font size="3" face="Calibri">TQ so much</font></div>
<div style="FONT-SIZE:small;TEXT-DECORATION:none;FONT-FAMILY:"Calibri";FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;DISPLAY:inline">
<div style="FONT:10pt tahoma">
<div> </div>
<div style="BACKGROUND:#f5f5f5">
<div><b>From:</b> <a title="jwilliams@emergingthreats.net">Jason Williams</a> </div>
<div><b>Sent:</b> Thursday, August 3, 2017 5:09 AM</div>
<div><b>To:</b> <a title="admin@mesra.my">Mesra.net CEO</a> </div>
<div><b>Cc:</b> <a title="oisf-users@lists.openinfosecfoundation.org">oisf-users@lists.<wbr>openinfosecfoundation.org</a>
</div>
<div><b>Subject:</b> Re: [Oisf-users] Wordpress Brute Force
Rules</div></div></div>
<div> </div></div>
<div style="FONT-SIZE:small;TEXT-DECORATION:none;FONT-FAMILY:"Calibri";FONT-WEIGHT:normal;COLOR:#000000;FONT-STYLE:normal;DISPLAY:inline">
<div dir="ltr">
<div>Hello,</div>
<div> </div>
<div>The issue is the inclusion of geoip, which is an IP keyword. <a href="http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip" target="_blank">http://suricata.readthedocs.<wbr>io/en/latest/rules/header-<wbr>keywords.html?highlight=geoip</a></div>
<div> </div>
<div>If you define a range of IPs in the suricata.yaml as the variable SG_NET
you want to allow logins from, you could probably do something similar with the
below. </div>
<div> </div>
<div>drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute
Force Login"; flow:to_server,established; content:"POST"; http_method;
content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)</div>
<div> </div>
<div>Thanks,</div>
<div> </div>
<div>Jason</div>
<div> </div></div>
<div class="gmail_extra">
<div> </div>
<div class="gmail_quote">On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <span dir="ltr"><<a>admin@mesra.my</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT:1ex;BORDER-LEFT:#ccc 1px solid;MARGIN:0px 0px 0px 0.8ex">
<div dir="ltr">
<div dir="ltr">
<div style="FONT-SIZE:10pt;FONT-FAMILY:'Arial';COLOR:#000000">
<div>Dear All,</div>
<div> </div>
<div>I try to make a rule to drop any of access out of Singapore on
wplogin.php, and this is the rule:<br></div>
<div>drop tcp <font face="Times New Roman"><span class="m_6411732973513897566m_382500437436174057crayon-sy"><font style="FONT-SIZE:12pt">$</font></span><font style="FONT-SIZE:12pt"><span class="m_6411732973513897566m_382500437436174057crayon-e">EXTERNAL_NET </span></font></font>any ->
any $HTTP_PORTS (msg:"WORDPRESS Brute Force Login";
flow:to_server,established;con<wbr>tent:"POST"; nocase; http_method;
uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)</div>
<div> </div>
<div>But i have an error:</div>
<div> </div>
<div>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
specific matches (like dsize, flags, ttl) with stream / state matching by
matching on app layer proto (like using http_* keywords).</div>
<div> </div>
<div>What i’m doing wrong, please help and thank you so much</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div></div></div></div><br>______________________________<wbr>_________________<br>Suricata
IDS Users mailing list:
<a>oisf-users@openinfosecfoundati<wbr>on.org</a><br>Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/suppor<wbr>t/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-users</a><br><br>Conference:
<a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/train<wbr>ing/</a><br></blockquote></div>
<div> </div></div></div></div></div></div></div></div></div>
</div></div><br>______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a><br></blockquote></div><br></div>