[Oisf-users] Wordpress Brute Force Rules

Jason Williams jwilliams at emergingthreats.net
Wed Aug 2 21:09:15 UTC 2017


The issue is the inclusion of geoip, which is an IP keyword.

If you define a range of IPs in the suricata.yaml as the variable SG_NET
you want to allow logins from, you could probably do something similar with
the below.

drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute
Force Login"; flow:to_server,established; content:"POST"; http_method;
content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)



On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <admin at mesra.my> wrote:

> Dear All,
> I try to make a rule to drop any of access out of Singapore on
> wplogin.php, and this is the rule:
> drop tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force
> Login"; flow:to_server,established;content:"POST"; nocase; http_method;
> uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)
> But i have an error:
> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
> specific matches (like dsize, flags, ttl) with stream / state matching by
> matching on app layer proto (like using http_* keywords).
> What i’m doing wrong, please help and thank you so much
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170802/e1e07c65/attachment-0002.html>

More information about the Oisf-users mailing list