How to write Suricata rules to detect UDP_Sweep scan with metasploit?

Dungggg · March 17, 2022, 9:13am

hi all,
I want to write Suricata rules to detect UDP Sweep scanning with metasploit. I have .pcap file (attachment).
UPD_sweep.pcap (91.5 KB)

Based on udp scan, when a generic UDP packet is sent to a UDP port of a remote host, one of the following occurs:

If the UDP port is open, the packet is accepted, no response packet is sent.
If the UDP port is closed, an ICMP packet is sent in response with the appropriate error code such as Destination Unreachable.

ICMP packet analysis, i create a rule but it’s false positive.

alert icmp any any -> $HOME_NET any (msg:"UDP_SWEEP scan detect"; flow:stateless; icode:3; itype:3; ; classtype:attempted-recon; sid:2022031000; rev:1;)

Anyone with any suggestions please help me !
Thanks all!

Andreas_Herz · March 18, 2022, 11:29am

The response is a normal ICMP packet and the rate is also okay, so even adding a threshold might not be what you want. Maybe it’s better to focus on the actual scans and try to use a threshold to see if specific IPs scan a lot.

Dungggg · April 3, 2022, 11:48am

sorry for the late reply. I used threshold function and count by destination. It looks like everything is fine now. Thanks for your advice !!!

noob_17 · January 2, 2023, 11:12am

Did you use the same rule but added a threshold?

Topic		Replies	Views
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	723	August 10, 2023
Suricata rules about network scan Rules rules	2	879	January 18, 2023
Unreal_ircd_3281_backdoor) Rules	10	794	February 21, 2021
Packet logging enabled, 2 hits and more then a million packets logged Rules rules , suricata	2	247	February 29, 2024
ICMP Drop threshold for Suricata IPS Rules ips , rules , suricata	3	457	June 15, 2023

How to write Suricata rules to detect UDP_Sweep scan with metasploit?

Related topics