<!DOCTYPE html>
<html><head>
    <meta charset="UTF-8">
</head><body><p>Has there been any further movement on this? <br></p><p>Mesra.net, have you tried splitting the range and creating multiple variables to see if that works for you? <br></p><p>Also would controlling the access using iptables work for you? You should be able to at least control access by port. iptables for sure does not have any such limits in terms of the range you could specify.<br></p><p>Has anyone else tried similar with Suricata? <br></p><p>regards<br></p><p>Amar<br></p><p><br></p><p><br></p><blockquote type="cite">On August 3, 2017 at 2:13 PM "Mesra.net CEO" <admin@mesra.my> wrote:<br><br><div dir="ltr"><div style="font-size: 10pt; font-family: 'Arial'; color: #000000;"><div>Dear Sir,</div><div> </div><div>Now i’m facing this error:</div><div> </div><div><Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - Hit the address buffer limit for the supplied address.  Invalidating sig.  Please file a bug report on this.</div><div> </div><div>May i know why, please help an thank you so much</div><div> </div><div> </div><div> </div><div> </div><div style="font-size: small; text-decoration: none; font-family: 'Calibri'; font-weight: normal; color: #000000; font-style: normal; display: inline;"><div style="font: 10pt tahoma;"><div> </div><div style="background: #f5f5f5;"><div style="font-color: black;"><strong>From:</strong> <a>Jason Williams</a><br></div><div><strong>Sent:</strong> Thursday, August 3, 2017 10:57 PM</div><div><strong>To:</strong> <a>Mesra.net CEO</a><br></div><div><strong>Cc:</strong> <a>oisf-users@lists.openinfosecfoundation.org</a><br></div><div><strong>Subject:</strong> Re: [Oisf-users] Wordpress Brute Force Rules</div></div></div><div> </div></div><div style="font-size: small; text-decoration: none; font-family: 'Calibri'; font-weight: normal; color: #000000; font-style: normal; display: inline;"><div dir="ltr">You will need to create a new variable in your suricata.yaml file. <div> </div><div>code:</div><div> </div><div><div>##</div><div>## Step 1: inform Suricata about your network</div><div>##</div><div> </div><div>vars:</div><div>  # more specifc is better for alert accuracy and performance</div><div>  address-groups:</div><div>    HOME_NET: "[<a href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</a>]"</div><div>    #HOME_NET: "[<a href="http://192.168.0.0/16">192.168.0.0/16</a>]"</div><div>    #HOME_NET: "[<a href="http://10.0.0.0/8">10.0.0.0/8</a>]"</div><div>    #HOME_NET: "[<a href="http://172.16.0.0/12">172.16.0.0/12</a>]"</div><div>    #HOME_NET: "any"</div><div> </div><div>    EXTERNAL_NET: "!$HOME_NET"</div><div>    #EXTERNAL_NET: "any"</div></div><div> </div><div>You would first need to determine the subnets you want to assign to this variable. You could pull these out of the GEOIP db or use a website like <a href="http://www.nirsoft.net/countryip/sg.html">http://www.nirsoft.net/countryip/sg.html</a>.</div><div> </div><div>You can then add a variable like so:</div><div> </div><div><div>##</div><div>## Step 1: inform Suricata about your network</div><div>##</div><div> </div><div>vars:</div><div>  # more specifc is better for alert accuracy and performance</div><div>  address-groups:</div><div>    HOME_NET: "[<a href="http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12">192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</a>]"</div><div>   <span style="background-color: #ff00ff;"><span style="color: #f3f3f3;"><span style="font-family: arial,helvetica,sans-serif;">SG_NET:"[<a href="http://1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add">1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add</a> more subnets as needed]" <------------ Add </span></span></span></div><div>    #HOME_NET: "[<a href="http://192.168.0.0/16">192.168.0.0/16</a>]"</div><div>    #HOME_NET: "[<a href="http://10.0.0.0/8">10.0.0.0/8</a>]"</div><div>    #HOME_NET: "[<a href="http://172.16.0.0/12">172.16.0.0/12</a>]"</div><div>    #HOME_NET: "any"</div><div> </div><div>    EXTERNAL_NET: "!$HOME_NET"</div><div>    #EXTERNAL_NET: "any"</div></div><div> </div><div>Thanks,</div><div> </div><div>Jason</div></div><div class="ox-f7c90a0aa1-gmail_extra"><div> </div><div class="ox-f7c90a0aa1-gmail_quote">On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <<a target="_blank">admin@mesra.my</a>> wrote:<br><blockquote><div class="ox-f7c90a0aa1-HOEnZb"><div class="ox-f7c90a0aa1-h5"><div dir="ltr"><div dir="ltr"><div style="font-size: 10pt; font-family: 'Arial'; color: #000000;"><div style="font-size: small; text-decoration: none; font-family: 'Calibri'; font-weight: normal; color: #000000; font-style: normal; display: inline;"><div dir="ltr"><div style="font-size: 10pt; font-family: 'Arial'; color: #000000;"><div>Thanks Jason,</div><div> </div><div>Btw may i know how can i enable <span style="font-family: Calibri;"><span style="font-size: 12pt;">[!$SG_NET,$EXTERNAL_NET] ? That not supported on my suricata</span></span></div><div> </div><div><span style="font-family: Calibri; font-size: medium;">TQ so much</span></div><div style="font-size: small; text-decoration: none; font-family: 'Calibri'; font-weight: normal; color: #000000; font-style: normal; display: inline;"><div style="font: 10pt tahoma;"><div> </div><div style="background: #f5f5f5;"><div><strong>From:</strong> <a>Jason Williams</a><br></div><div><strong>Sent:</strong> Thursday, August 3, 2017 5:09 AM</div><div><strong>To:</strong> <a>Mesra.net CEO</a><br></div><div><strong>Cc:</strong> <a>oisf-users@lists.<wbr/>openinfosecfoundation.org</a><br></div><div><strong>Subject:</strong> Re: [Oisf-users] Wordpress Brute Force Rules</div></div></div><div> </div></div><div style="font-size: small; text-decoration: none; font-family: 'Calibri'; font-weight: normal; color: #000000; font-style: normal; display: inline;"><div dir="ltr"><div>Hello,</div><div> </div><div>The issue is the inclusion of geoip, which is an IP keyword. <a href="http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip" target="_blank">http://suricata.readthedocs.<wbr/>io/en/latest/rules/header-<wbr/>keywords.html?highlight=geoip</a><br></div><div> </div><div>If you define a range of IPs in the suricata.yaml as the variable SG_NET you want to allow logins from, you could probably do something similar with the below.</div><div> </div><div>drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute Force Login"; flow:to_server,established; content:"POST"; http_method; content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)</div><div> </div><div>Thanks,</div><div> </div><div>Jason</div><div> </div></div><div class="ox-f7c90a0aa1-gmail_extra"><div> </div><div class="ox-f7c90a0aa1-gmail_quote">On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <<a>admin@mesra.my</a>> wrote:<br><blockquote><div dir="ltr"><div dir="ltr"><div style="font-size: 10pt; font-family: 'Arial'; color: #000000;"><div>Dear All,</div><div> </div><div>I try to make a rule to drop any of access out of Singapore on wplogin.php, and this is the rule:<br></div><div>drop tcp <span style="font-family: Times New Roman;"><span class="ox-f7c90a0aa1-m_6411732973513897566m_382500437436174057crayon-sy"><span style="font-size: 12pt;">$</span></span><span style="font-size: 12pt;"><span class="ox-f7c90a0aa1-m_6411732973513897566m_382500437436174057crayon-e">EXTERNAL_NET </span></span></span>any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force Login"; flow:to_server,established;con<wbr/>tent:"POST"; nocase; http_method; uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)</div><div> </div><div>But i have an error:</div><div> </div><div>[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).</div><div> </div><div>What i’m doing wrong, please help and thank you so much</div><div> </div><div> </div><div> </div><div> </div></div></div></div><br>______________________________<wbr/>_________________<br>Suricata IDS Users mailing list: <a>oisf-users@openinfosecfoundati<wbr/>on.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/suppor<wbr/>t/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfound<wbr/>ation.org/mailman/listinfo/<wbr/>oisf-users</a><br><br>Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/train<wbr/>ing/</a><br></blockquote></div><div> </div></div></div></div></div></div></div></div></div></div></div><br>______________________________<wbr/>_________________<br>Suricata IDS Users mailing list: <a>oisf-users@<wbr/>openinfosecfoundation.org</a><br>Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/<wbr/>support/</a><br>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.<wbr/>openinfosecfoundation.org/<wbr/>mailman/listinfo/oisf-users</a><br><br>Conference: <a href="https://suricon.net" target="_blank">https://suricon.net</a><br>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/<wbr/>training/</a><br></blockquote></div><div> </div></div></div></div></div></blockquote><p><br> </p><blockquote type="cite">_______________________________________________<br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org<br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/<br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<br><br>Conference: https://suricon.net<br>Trainings: https://suricata-ids.org/training/</blockquote><p><br></p><div class="io-ox-signature"><p><br></p></div></body></html>