Good evening!
I’ve been using Suricata for a while and I still don’t have enough experience to create my own rules.
Could you tell me, please, how I can detect clients who have KVM VPS with us and scan other servers? (Absolutely random ports, it’s easier to eliminate some well-known ones that aren’t used for exploits than to list the ones you’ve encountered so far).
We had abuses both TCP and UDP scans.
Any help is welcome
You could send some traffic to other’s vps by scan tools on Your KVM VPS ,for example “Nmap/ Masscan” etc,and capture the traffic by the wireshark or tcpdump , then analyse the traffic findprint ot write rules.
You could try a simple approach first, where you leverage the thresholding features in Suricata. In addition to that you could use the flow events and use those logs to have a postprocess trying to define a portscan.
