Custom Rule to Allow only web browser traffic on port 80


VM Version: Ubuntu Desktop 20.04.2
Suricata Version: 6.0.0 Release

I am running suricata in IPS mode with nfq and I have XAMPP server running. I’m trying to create a rule that allows http traffic on a web browser with port 80, while blocking all nmap traffic. Is there a signature or content i can specify to accomplish this? Right now I have

drop tcp any any -> $HOME_NET !80 (msg:"Possible Nmap TCP SYN Scan"; flow:from_client;flags:S; sid:5;rev:1;)

which blocks nmap from scanning all ports other than 80. However, this rule also block out ssh, which I want to do my testing with ssh bruteforcing (and not reveal the port at the same time).

Currently before turning on suricata, I get:

$ sudo nmap
Starting Nmap 7.91 ( ) at 2021-08-14 
Nmap scan report for
Host is up (0.00046s latency).
Not shown: 996 closed ports
21/tcp   open  ftp
80/tcp   open  http
443/tcp  open  https
3306/tcp open  mysql
MAC Address: 00:0C:29:C9:25:D3 (VMware)

And after I turn it on, I get:

$ sudo nmap
Starting Nmap 7.91 ( ) at 2021-08-14 
Nmap scan report for
Host is up (0.0012s latency).
Not shown: 999 filtered ports
80/tcp open  http
MAC Address: 00:0C:29:C9:25:D3 (VMware)

Want to accomplish not having ports revealed whilst being able to access the services (i.e. 80/tcp and 21/tcp). Thanks!

Dear Ryan,

It is not possible to establish TCP connection without the 3-way handshake that starts with a syn packet.

The rule you provided drops the syn packet (except on port 80) and this prevents the connections from being established (including ssh).

The only way to accomplish what you are trying to do is either to create an allowlist of IPs that can access the services and the rest are blocked.

Or by implementing some network level authentication mechanism (eg: port knocking) which will again requires that you define/customize you clients.

@IDSTower Got it. So there is no way of filtering which is Nmap traffic and which is web browsing if both use http (or 80/tcp) is that right? Thanks!

Yes, however this does not mean you can’t do anything

You can still block some of the nmap scanners by detecting ips that send many syn packet in a short period of time (indicating an ip scanning a full network/host)

@IDSTower I see would you mind pointing me in the right direction for this (blocking differs from dropping packets, correct)? A link would be much appreciated. Thanks

Dropping and blocking is the same from my prospective.

Take a look here, this files contains rules to detect many scanners including some nmap scanning techniques.

Hope this helps

ok got it thanks @IDSTower !