[Oisf-users] Wordpress Brute Force Rules

Peter Manev petermanev at gmail.com
Fri Aug 4 15:24:47 UTC 2017


On Thu, Aug 3, 2017 at 7:13 PM, Mesra.net CEO <admin at mesra.my> wrote:
> Dear Sir,
>
> Now i’m facing this error:
>
> <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - Hit the address
> buffer limit for the supplied address.  Invalidating sig.  Please file a bug
> report on this.
>


Can you please file a bug report on our redmine -
https://redmine.openinfosecfoundation.org/projects/suricata/issues
with all the relevant info so we can reproduce the bug? (suricata
--build-info , OS, start line, relevant suricata.yaml section - you
can privately share this if ok with you)

Thank you

> May i know why, please help an thank you so much
>
>
>
>
>
> From: Jason Williams
> Sent: Thursday, August 3, 2017 10:57 PM
> To: Mesra.net CEO
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Wordpress Brute Force Rules
>
> You will need to create a new variable in your suricata.yaml file.
>
> code:
>
> ##
> ## Step 1: inform Suricata about your network
> ##
>
> vars:
>   # more specifc is better for alert accuracy and performance
>   address-groups:
>     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
>     #HOME_NET: "[192.168.0.0/16]"
>     #HOME_NET: "[10.0.0.0/8]"
>     #HOME_NET: "[172.16.0.0/12]"
>     #HOME_NET: "any"
>
>     EXTERNAL_NET: "!$HOME_NET"
>     #EXTERNAL_NET: "any"
>
> You would first need to determine the subnets you want to assign to this
> variable. You could pull these out of the GEOIP db or use a website like
> http://www.nirsoft.net/countryip/sg.html.
>
> You can then add a variable like so:
>
> ##
> ## Step 1: inform Suricata about your network
> ##
>
> vars:
>   # more specifc is better for alert accuracy and performance
>   address-groups:
>     HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
>    SG_NET:"[1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add more subnets as
> needed]" <------------ Add
>     #HOME_NET: "[192.168.0.0/16]"
>     #HOME_NET: "[10.0.0.0/8]"
>     #HOME_NET: "[172.16.0.0/12]"
>     #HOME_NET: "any"
>
>     EXTERNAL_NET: "!$HOME_NET"
>     #EXTERNAL_NET: "any"
>
> Thanks,
>
> Jason
>
> On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <admin at mesra.my> wrote:
>>
>> Thanks Jason,
>>
>> Btw may i know how can i enable [!$SG_NET,$EXTERNAL_NET] ? That not
>> supported on my suricata
>>
>> TQ so much
>>
>> From: Jason Williams
>> Sent: Thursday, August 3, 2017 5:09 AM
>> To: Mesra.net CEO
>> Cc: oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Wordpress Brute Force Rules
>>
>> Hello,
>>
>> The issue is the inclusion of geoip, which is an IP keyword.
>> http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip
>>
>> If you define a range of IPs in the suricata.yaml as the variable SG_NET
>> you want to allow logins from, you could probably do something similar with
>> the below.
>>
>> drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute
>> Force Login"; flow:to_server,established; content:"POST"; http_method;
>> content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)
>>
>> Thanks,
>>
>> Jason
>>
>>
>> On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <admin at mesra.my> wrote:
>>>
>>> Dear All,
>>>
>>> I try to make a rule to drop any of access out of Singapore on
>>> wplogin.php, and this is the rule:
>>> drop tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force
>>> Login"; flow:to_server,established;content:"POST"; nocase; http_method;
>>> uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)
>>>
>>> But i have an error:
>>>
>>> [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet
>>> specific matches (like dsize, flags, ttl) with stream / state matching by
>>> matching on app layer proto (like using http_* keywords).
>>>
>>> What i’m doing wrong, please help and thank you so much
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list