VM Version: Ubuntu Desktop 20.04.2
Suricata Version: 6.0.0 Release
I am running suricata in IPS mode with nfq and I have
XAMPP server running. I’m trying to create a rule that allows http traffic on a web browser with port 80, while blocking all nmap traffic. Is there a signature or content i can specify to accomplish this? Right now I have
drop tcp any any -> $HOME_NET !80 (msg:"Possible Nmap TCP SYN Scan"; flow:from_client;flags:S; sid:5;rev:1;)
which blocks nmap from scanning all ports other than
80. However, this rule also block out ssh, which I want to do my testing with ssh bruteforcing (and not reveal the port at the same time).
Currently before turning on suricata, I get:
$ sudo nmap 192.168.233.196 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 Nmap scan report for 192.168.233.196 Host is up (0.00046s latency). Not shown: 996 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 443/tcp open https 3306/tcp open mysql MAC Address: 00:0C:29:C9:25:D3 (VMware)
And after I turn it on, I get:
$ sudo nmap 192.168.233.196 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 Nmap scan report for 192.168.233.196 Host is up (0.0012s latency). Not shown: 999 filtered ports PORT STATE SERVICE 80/tcp open http MAC Address: 00:0C:29:C9:25:D3 (VMware)
Want to accomplish not having ports revealed whilst being able to access the services (i.e. 80/tcp and 21/tcp). Thanks!