<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Dear Sir,</DIV>
<DIV> </DIV>
<DIV>Now i’m facing this error:</DIV>
<DIV> </DIV>
<DIV><Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - Hit the
address buffer limit for the supplied address. Invalidating sig.
Please file a bug report on this.</DIV>
<DIV> </DIV>
<DIV>May i know why, please help an thank you so much</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title=jwilliams@emergingthreats.net>Jason Williams</A> </DIV>
<DIV><B>Sent:</B> Thursday, August 3, 2017 10:57 PM</DIV>
<DIV><B>To:</B> <A title=admin@mesra.my>Mesra.net CEO</A> </DIV>
<DIV><B>Cc:</B> <A
title=oisf-users@lists.openinfosecfoundation.org>oisf-users@lists.openinfosecfoundation.org</A>
</DIV>
<DIV><B>Subject:</B> Re: [Oisf-users] Wordpress Brute Force
Rules</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>You will need to create a new variable in your suricata.yaml
file.
<DIV> </DIV>
<DIV>code:</DIV>
<DIV> </DIV>
<DIV>
<DIV>##</DIV>
<DIV>## Step 1: inform Suricata about your network</DIV>
<DIV>##</DIV>
<DIV> </DIV>
<DIV>vars:</DIV>
<DIV> # more specifc is better for alert accuracy and performance</DIV>
<DIV> address-groups:</DIV>
<DIV> HOME_NET: "[<A
href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</A>]"</DIV>
<DIV> #HOME_NET: "[<A
href="http://192.168.0.0/16">192.168.0.0/16</A>]"</DIV>
<DIV> #HOME_NET: "[<A
href="http://10.0.0.0/8">10.0.0.0/8</A>]"</DIV>
<DIV> #HOME_NET: "[<A
href="http://172.16.0.0/12">172.16.0.0/12</A>]"</DIV>
<DIV> #HOME_NET: "any"</DIV>
<DIV> </DIV>
<DIV> EXTERNAL_NET: "!$HOME_NET"</DIV>
<DIV> #EXTERNAL_NET: "any"</DIV></DIV>
<DIV> </DIV>
<DIV>You would first need to determine the subnets you want to assign to this
variable. You could pull these out of the GEOIP db or use a website like <A
href="http://www.nirsoft.net/countryip/sg.html">http://www.nirsoft.net/countryip/sg.html</A>.
</DIV>
<DIV> </DIV>
<DIV>You can then add a variable like so:</DIV>
<DIV> </DIV>
<DIV>
<DIV>##</DIV>
<DIV>## Step 1: inform Suricata about your network</DIV>
<DIV>##</DIV>
<DIV> </DIV>
<DIV>vars:</DIV>
<DIV> # more specifc is better for alert accuracy and performance</DIV>
<DIV> address-groups:</DIV>
<DIV> HOME_NET: "[<A
href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</A>]"</DIV>
<DIV> <SPAN style="BACKGROUND-COLOR: rgb(255,0,255)"><FONT
color=#f3f3f3><FONT face="arial, helvetica, sans-serif">SG_NET:"[<A
href="http://1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add">1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add</A>
more subnets as needed]" <------------ Add </FONT></FONT></SPAN></DIV>
<DIV> #HOME_NET: "[<A
href="http://192.168.0.0/16">192.168.0.0/16</A>]"</DIV>
<DIV> #HOME_NET: "[<A
href="http://10.0.0.0/8">10.0.0.0/8</A>]"</DIV>
<DIV> #HOME_NET: "[<A
href="http://172.16.0.0/12">172.16.0.0/12</A>]"</DIV>
<DIV> #HOME_NET: "any"</DIV>
<DIV> </DIV>
<DIV> EXTERNAL_NET: "!$HOME_NET"</DIV>
<DIV> #EXTERNAL_NET: "any"</DIV></DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>Jason</DIV></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <SPAN
dir=ltr><<A target=_blank>admin@mesra.my</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">
<DIV class=HOEnZb>
<DIV class=h5>
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Thanks Jason,</DIV>
<DIV> </DIV>
<DIV>Btw may i know how can i enable <FONT face=Calibri><FONT
style="FONT-SIZE: 12pt">[!$SG_NET,$EXTERNAL_NET] ? That not supported on my
suricata</FONT></FONT></DIV>
<DIV><FONT size=3 face=Calibri></FONT> </DIV>
<DIV><FONT size=3 face=Calibri>TQ so much</FONT></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV style="FONT: 10pt tahoma">
<DIV> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV><B>From:</B> <A title=jwilliams@emergingthreats.net>Jason Williams</A>
</DIV>
<DIV><B>Sent:</B> Thursday, August 3, 2017 5:09 AM</DIV>
<DIV><B>To:</B> <A title=admin@mesra.my>Mesra.net CEO</A> </DIV>
<DIV><B>Cc:</B> <A
title=oisf-users@lists.openinfosecfoundation.org>oisf-users@lists.<WBR>openinfosecfoundation.org</A>
</DIV>
<DIV><B>Subject:</B> Re: [Oisf-users] Wordpress Brute Force
Rules</DIV></DIV></DIV>
<DIV> </DIV></DIV>
<DIV
style='FONT-SIZE: small; TEXT-DECORATION: none; FONT-FAMILY: "Calibri"; FONT-WEIGHT: normal; COLOR: #000000; FONT-STYLE: normal; DISPLAY: inline'>
<DIV dir=ltr>
<DIV>Hello,</DIV>
<DIV> </DIV>
<DIV>The issue is the inclusion of geoip, which is an IP keyword. <A
href="http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip"
target=_blank>http://suricata.readthedocs.<WBR>io/en/latest/rules/header-<WBR>keywords.html?highlight=geoip</A></DIV>
<DIV> </DIV>
<DIV>If you define a range of IPs in the suricata.yaml as the variable SG_NET
you want to allow logins from, you could probably do something similar with
the below. </DIV>
<DIV> </DIV>
<DIV>drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS
Brute Force Login"; flow:to_server,established; content:"POST"; http_method;
content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV> </DIV>
<DIV>Jason</DIV>
<DIV> </DIV></DIV>
<DIV class=gmail_extra>
<DIV> </DIV>
<DIV class=gmail_quote>On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <SPAN
dir=ltr><<A>admin@mesra.my</A>></SPAN> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex">
<DIV dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: 'Arial'; COLOR: #000000">
<DIV>Dear All,</DIV>
<DIV> </DIV>
<DIV>I try to make a rule to drop any of access out of Singapore on
wplogin.php, and this is the rule:<BR></DIV>
<DIV>drop tcp <FONT face="Times New Roman"><SPAN
class=m_6411732973513897566m_382500437436174057crayon-sy><FONT
style="FONT-SIZE: 12pt">$</FONT></SPAN><FONT style="FONT-SIZE: 12pt"><SPAN
class=m_6411732973513897566m_382500437436174057crayon-e>EXTERNAL_NET
</SPAN></FONT></FONT>any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force
Login"; flow:to_server,established;con<WBR>tent:"POST"; nocase; http_method;
uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)</DIV>
<DIV> </DIV>
<DIV>But i have an error:</DIV>
<DIV> </DIV>
<DIV>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
specific matches (like dsize, flags, ttl) with stream / state matching by
matching on app layer proto (like using http_* keywords).</DIV>
<DIV> </DIV>
<DIV>What i’m doing wrong, please help and thank you so much</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV></DIV><BR>______________________________<WBR>_________________<BR>Suricata
IDS Users mailing list:
<A>oisf-users@openinfosecfoundati<WBR>on.org</A><BR>Site: <A
href="http://suricata-ids.org" rel=noreferrer
target=_blank>http://suricata-ids.org</A> | Support: <A
href="http://suricata-ids.org/support/" rel=noreferrer
target=_blank>http://suricata-ids.org/suppor<WBR>t/</A><BR>List: <A
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel=noreferrer
target=_blank>https://lists.openinfosecfound<WBR>ation.org/mailman/listinfo/<WBR>oisf-users</A><BR><BR>Conference:
<A href="https://suricon.net" rel=noreferrer
target=_blank>https://suricon.net</A><BR>Trainings: <A
href="https://suricata-ids.org/training/" rel=noreferrer
target=_blank>https://suricata-ids.org/train<WBR>ing/</A><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><BR>______________________________<WBR>_________________<BR>Suricata
IDS Users mailing list:
<A>oisf-users@<WBR>openinfosecfoundation.org</A><BR>Site: <A
href="http://suricata-ids.org" rel=noreferrer
target=_blank>http://suricata-ids.org</A> | Support: <A
href="http://suricata-ids.org/support/" rel=noreferrer
target=_blank>http://suricata-ids.org/<WBR>support/</A><BR>List: <A
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel=noreferrer
target=_blank>https://lists.<WBR>openinfosecfoundation.org/<WBR>mailman/listinfo/oisf-users</A><BR><BR>Conference:
<A href="https://suricon.net" rel=noreferrer
target=_blank>https://suricon.net</A><BR>Trainings: <A
href="https://suricata-ids.org/training/" rel=noreferrer
target=_blank>https://suricata-ids.org/<WBR>training/</A><BR></BLOCKQUOTE></DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></BODY></HTML>