[Oisf-users] Wordpress Brute Force Rules
amar countersnipe.com
amar at countersnipe.com
Wed Aug 9 14:26:54 UTC 2017
Has there been any further movement on this?
Mesra.net, have you tried splitting the range and creating multiple variables to see if that works for you?
Also would controlling the access using iptables work for you? You should be able to at least control access by port. iptables for sure does not have any such limits in terms of the range you could specify.
Has anyone else tried similar with Suricata?
regards
Amar
> On August 3, 2017 at 2:13 PM "Mesra.net CEO" <admin at mesra.my> wrote:
>
> Dear Sir,
>
> Now i’m facing this error:
>
> <Error> - [ERRCODE: SC_ERR_ADDRESS_ENGINE_GENERIC(89)] - Hit the address buffer limit for the supplied address. Invalidating sig. Please file a bug report on this.
>
> May i know why, please help an thank you so much
>
>
>
>
>
> From: Jason Williams
> Sent: Thursday, August 3, 2017 10:57 PM
> To: Mesra.net CEO
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Wordpress Brute Force Rules
>
> You will need to create a new variable in your suricata.yaml file.
>
> code:
>
> ##
> ## Step 1: inform Suricata about your network
> ##
>
> vars:
> # more specifc is better for alert accuracy and performance
> address-groups:
> HOME_NET: "[http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 ]"
> #HOME_NET: "[http://192.168.0.0/16 ]"
> #HOME_NET: "[http://10.0.0.0/8 ]"
> #HOME_NET: "[http://172.16.0.0/12 ]"
> #HOME_NET: "any"
>
> EXTERNAL_NET: "!$HOME_NET"
> #EXTERNAL_NET: "any"
>
> You would first need to determine the subnets you want to assign to this variable. You could pull these out of the GEOIP db or use a website like http://www.nirsoft.net/countryip/sg.html.
>
> You can then add a variable like so:
>
> ##
> ## Step 1: inform Suricata about your network
> ##
>
> vars:
> # more specifc is better for alert accuracy and performance
> address-groups:
> HOME_NET: "[http://192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 ]"
> SG_NET:"[http://1.32.128.0/18,14.100.0.0/16,27.34.176.0/20...add more subnets as needed]" <------------ Add
> #HOME_NET: "[http://192.168.0.0/16 ]"
> #HOME_NET: "[http://10.0.0.0/8 ]"
> #HOME_NET: "[http://172.16.0.0/12 ]"
> #HOME_NET: "any"
>
> EXTERNAL_NET: "!$HOME_NET"
> #EXTERNAL_NET: "any"
>
> Thanks,
>
> Jason
>
> On Thu, Aug 3, 2017 at 5:24 AM, Mesra.net CEO <admin at mesra.my> wrote:
>
> > > Thanks Jason,
> >
> > Btw may i know how can i enable [!$SG_NET,$EXTERNAL_NET] ? That not supported on my suricata
> >
> > TQ so much
> >
> > From: Jason Williams
> > Sent: Thursday, August 3, 2017 5:09 AM
> > To: Mesra.net CEO
> > Cc: oisf-users at lists.openinfosecfoundation.org
> > Subject: Re: [Oisf-users] Wordpress Brute Force Rules
> >
> > Hello,
> >
> > The issue is the inclusion of geoip, which is an IP keyword. http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip http://suricata.readthedocs.io/en/latest/rules/header-keywords.html?highlight=geoip
> >
> > If you define a range of IPs in the suricata.yaml as the variable SG_NET you want to allow logins from, you could probably do something similar with the below.
> >
> > drop http [!$SG_NET,$EXTERNAL_NET] any -> any any (msg:"WORDPRESS Brute Force Login"; flow:to_server,established; content:"POST"; http_method; content:"/wp-login.php"; nocase; http_uri; sid:56; rev:1;)
> >
> > Thanks,
> >
> > Jason
> >
> >
> > On Wed, Aug 2, 2017 at 11:35 AM, Mesra.net CEO <admin at mesra.my> wrote:
> >
> > > > > Dear All,
> > >
> > > I try to make a rule to drop any of access out of Singapore on wplogin.php, and this is the rule:
> > > drop tcp $EXTERNAL_NET any -> any $HTTP_PORTS (msg:"WORDPRESS Brute Force Login"; flow:to_server,established;content:"POST"; nocase; http_method; uricontent:"/wp-login.php"; nocase; geoip:src,!SG; sid:56; rev:1;)
> > >
> > > But i have an error:
> > >
> > > [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords).
> > >
> > > What i’m doing wrong, please help and thank you so much
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ http://suricata-ids.org/support/
> > > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > >
> > > Conference: https://suricon.net
> > > Trainings: https://suricata-ids.org/training/ https://suricata-ids.org/training/
> > >
> > > > >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/ http://suricata-ids.org/support/
> > List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/ https://suricata-ids.org/training/
> >
> > >
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170809/74be2bb0/attachment-0002.html>
More information about the Oisf-users
mailing list