Detect Port Scanning

Good evening!
I’ve been using Suricata for a while and I still don’t have enough experience to create my own rules.
Could you tell me, please, how I can detect clients who have KVM VPS with us and scan other servers? (Absolutely random ports, it’s easier to eliminate some well-known ones that aren’t used for exploits than to list the ones you’ve encountered so far).

  • We had abuses both TCP and UDP scans.
    Any help is welcome :slight_smile: