[Oisf-users] Wordpress Brute Force Rules

Mesra.net CEO admin at mesra.my
Thu Aug 3 18:01:41 UTC 2017


Hi Jason,

Thank you so much



From: Jason Williams 
Sent: Thursday, August 3, 2017 10:57 PM
To: Mesra.net CEO 
Cc: oisf-users at lists.openinfosecfoundation.org 
Subject: Re: [Oisf-users] Wordpress Brute Force Rules

You will need to create a new variable in your suricata.yaml file.  

code:

##
## Step 1: inform Suricata about your network
##

vars:
  # more specifc is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

You would first need to determine the subnets you want to assign to this variable. You could pull these out of the GEOIP db or use a website like http://www.nirsoft.net/countryip/sg.html. 

You can then add a variable like so:

##
## Step 1: inform Suricata about your network
##

vars:
  # more specifc is better for alert accuracy and performance
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
   SG_NET:"[1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add more subnets as needed]" <------------ Add 
    #HOME_NET: "[192.168.0.0/16]"
    #HOME_NET: "[10.0.0.0/8]"
    #HOME_NET: "[172.16.0.0/12]"
    #HOME_NET: "any"

    EXTERNAL_NET: "!$HOME_NET"
    #EXTERNAL_NET: "any"

Thanks,

Jason

On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <admin at mesra.my> wrote:

  Thanks Jason,

  Btw may i know how can i enable [!$SG_NET,$EXTERNAL_NET] ? That not supported on my suricata

  TQ so much

  From: Jason Williams 
  Sent: Thursday, August 3, 2017 5:09 AM
  To: Mesra.net CEO 
  Cc: oisf-users at lists.openinfosecfoundation.org 
  Subject: Re: [Oisf-users] Wordpress Brute Force Rules

  Hello,

  The issue is the inclusion of geoip, which is an IP keyword. http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip

  If you define a range of IPs in the suricata.yaml as the variable SG_NET you want to allow logins from, you could probably do something similar with the below. 

  drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute Force Login"; flow:to_server,established; content:"POST"; http_method; content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)

  Thanks,

  Jason


  On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <admin at mesra.my> wrote:

    Dear All,

    I try to make a rule to drop any of access out of Singapore on wplogin.php, and this is the rule:

    drop tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force Login"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)

    But i have an error:

    [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).

    What i’m doing wrong, please help and thank you so much





    _______________________________________________
    Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
    Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
    List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

    Conference: https://suricon.net
    Trainings: https://suricata-ids.org/training/



  _______________________________________________
  Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
  Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
  List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

  Conference: https://suricon.net
  Trainings: https://suricata-ids.org/training/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170804/deb3261a/attachment-0002.html>


More information about the Oisf-users mailing list