hi all,
I want to write Suricata rules to detect UDP Sweep scanning with metasploit. I have .pcap file (attachment).
UPD_sweep.pcap (91.5 KB)
Based on udp scan, when a generic UDP packet is sent to a UDP port of a remote host, one of the following occurs:
- If the UDP port is open, the packet is accepted, no response packet is sent.
- If the UDP port is closed, an ICMP packet is sent in response with the appropriate error code such as Destination Unreachable.
ICMP packet analysis, i create a rule but it’s false positive.
alert icmp any any -> $HOME_NET any (msg:"UDP_SWEEP scan detect"; flow:stateless; icode:3; itype:3; ; classtype:attempted-recon; sid:2022031000; rev:1;)
Anyone with any suggestions please help me !
Thanks all!