Closed.
Hello,
Created some custom rules I borrowed from ET, but is seems like the destination variable $HOME_NET is ignored? Maybe a second pair of eyes can share some insight?
alert tcp $HOME_NET any → $HOME_NET any (msg:“SCAN NMAP -sA (1)”; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,Emerging Threats; classtype:attempted-recon; sid:100000022; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
It also hits on destination ip’s way out of the HOME_NET scope defined in suricata.yaml (suricata 7).
Thanks!
Andre