How to write Suricata rules to detect UDP_Sweep scan with metasploit?

hi all,
I want to write Suricata rules to detect UDP Sweep scanning with metasploit. I have .pcap file (attachment).
UPD_sweep.pcap (91.5 KB)

Based on udp scan, when a generic UDP packet is sent to a UDP port of a remote host, one of the following occurs:

  • If the UDP port is open, the packet is accepted, no response packet is sent.
  • If the UDP port is closed, an ICMP packet is sent in response with the appropriate error code such as Destination Unreachable.

ICMP packet analysis, i create a rule but it’s false positive.

alert icmp any any -> $HOME_NET any (msg:"UDP_SWEEP scan detect"; flow:stateless; icode:3; itype:3; ; classtype:attempted-recon; sid:2022031000; rev:1;)

Anyone with any suggestions please help me !
Thanks all!

The response is a normal ICMP packet and the rate is also okay, so even adding a threshold might not be what you want. Maybe it’s better to focus on the actual scans and try to use a threshold to see if specific IPs scan a lot.

sorry for the late reply. I used threshold function and count by destination. It looks like everything is fine now. Thanks for your advice !!!