Detect Port Scanning

Good evening!
I’ve been using Suricata for a while and I still don’t have enough experience to create my own rules.
Could you tell me, please, how I can detect clients who have KVM VPS with us and scan other servers? (Absolutely random ports, it’s easier to eliminate some well-known ones that aren’t used for exploits than to list the ones you’ve encountered so far).

  • We had abuses both TCP and UDP scans.
    Any help is welcome :slight_smile:

You could send some traffic to other’s vps by scan tools on Your KVM VPS ,for example “Nmap/ Masscan” etc,and capture the traffic by the wireshark or tcpdump , then analyse the traffic findprint ot write rules.

You could try a simple approach first, where you leverage the thresholding features in Suricata. In addition to that you could use the flow events and use those logs to have a postprocess trying to define a portscan.