VM Version: Ubuntu Desktop 20.04.2
Suricata Version: 6.0.0 Release
I am running suricata in IPS mode with nfq and I have XAMPP server running. I’m trying to create a rule that allows http traffic on a web browser with port 80, while blocking all nmap traffic. Is there a signature or content i can specify to accomplish this? Right now I have
drop tcp any any -> $HOME_NET !80 (msg:"Possible Nmap TCP SYN Scan"; flow:from_client;flags:S; sid:5;rev:1;)
which blocks nmap from scanning all ports other than 80. However, this rule also block out ssh, which I want to do my testing with ssh bruteforcing (and not reveal the port at the same time).
Currently before turning on suricata, I get:
$ sudo nmap 192.168.233.196
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14
Nmap scan report for 192.168.233.196
Host is up (0.00046s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
443/tcp open https
3306/tcp open mysql
MAC Address: 00:0C:29:C9:25:D3 (VMware)
And after I turn it on, I get:
$ sudo nmap 192.168.233.196
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14
Nmap scan report for 192.168.233.196
Host is up (0.0012s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 00:0C:29:C9:25:D3 (VMware)
Want to accomplish not having ports revealed whilst being able to access the services (i.e. 80/tcp and 21/tcp). Thanks!
Yes, however this does not mean you can’t do anything
You can still block some of the nmap scanners by detecting ips that send many syn packet in a short period of time (indicating an ip scanning a full network/host)
@IDSTower I see would you mind pointing me in the right direction for this (blocking differs from dropping packets, correct)? A link would be much appreciated. Thanks