I’ve been using Suricata for a while and I still don’t have enough experience to create my own rules.
Could you tell me, please, how I can detect clients who have KVM VPS with us and scan other servers? (Absolutely random ports, it’s easier to eliminate some well-known ones that aren’t used for exploits than to list the ones you’ve encountered so far).
- We had abuses both TCP and UDP scans.
Any help is welcome
You could send some traffic to other’s vps by scan tools on Your KVM VPS ,for example “Nmap/ Masscan” etc，and capture the traffic by the wireshark or tcpdump , then analyse the traffic findprint ot write rules.
You could try a simple approach first, where you leverage the thresholding features in Suricata. In addition to that you could use the flow events and use those logs to have a postprocess trying to define a portscan.