[Oisf-users] Wordpress Brute Force Rules
Jason Williams
jwilliams at emergingthreats.net
Thu Aug 3 14:57:30 UTC 2017
You will need to create a new variable in your suricata.yaml file.
code:
##
## Step 1: inform Suricata about your network
##
vars:
# more specifc is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
You would first need to determine the subnets you want to assign to this
variable. You could pull these out of the GEOIP db or use a website like
http://www.nirsoft.net/countryip/sg.html.
You can then add a variable like so:
##
## Step 1: inform Suricata about your network
##
vars:
# more specifc is better for alert accuracy and performance
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
SG_NET:"[1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add more subnets
as needed]" <------------ Add
#HOME_NET: "[192.168.0.0/16]"
#HOME_NET: "[10.0.0.0/8]"
#HOME_NET: "[172.16.0.0/12]"
#HOME_NET: "any"
EXTERNAL_NET: "!$HOME_NET"
#EXTERNAL_NET: "any"
Thanks,
Jason
On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <admin at mesra.my> wrote:
> Thanks Jason,
>
> Btw may i know how can i enable [!$SG_NET,$EXTERNAL_NET] ? That not
> supported on my suricata
>
> TQ so much
>
> *From:* Jason Williams
> *Sent:* Thursday, August 3, 2017 5:09 AM
> *To:* Mesra.net CEO
> *Cc:* oisf-users at lists.openinfosecfoundation.org
> *Subject:* Re: [Oisf-users] Wordpress Brute Force Rules
>
> Hello,
>
> The issue is the inclusion of geoip, which is an IP keyword.
> http://suricata.readthedocs.io/en/latest/rules/header-
> keywords.html?highlight=geoip
>
> If you define a range of IPs in the suricata.yaml as the variable SG_NET
> you want to allow logins from, you could probably do something similar with
> the below.
>
> drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute
> Force Login"; flow:to_server,established; content:"POST"; http_method;
> content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)
>
> Thanks,
>
> Jason
>
>
> On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <admin at mesra.my> wrote:
>
>> Dear All,
>>
>> I try to make a rule to drop any of access out of Singapore on
>> wplogin.php, and this is the rule:
>> drop tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"WORDPRESS Brute
>> Force Login"; flow:to_server,established;content:"POST"; nocase;
>> http_method; uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56;
>> rev:1;)
>>
>> But i have an error:
>>
>> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
>> specific matches (like dsize, flags, ttl) with stream / state matching by
>> matching on app layer proto (like using http_* keywords).
>>
>> What i’m doing wrong, please help and thank you so much
>>
>>
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170803/3389ed2f/attachment-0002.html>
More information about the Oisf-users
mailing list