Identifying a Network Scan

Hi, everyone.

I first heard of Suricata today, so am (very) new to this. I have used Darktrace before, which uses AI to monitor network traffic headers, and alerts on anything “anomalous”.

I would like to know if it’s possible for Suricata to detect a network scan? I can see it’s based on rules, so something like “Any host has sent a packet of less than 40 bytes to more than 20 destinations in the past minute” would be the kind of thing I’m after.

Is that possible, please? If not, is there another way anyone knows of to achieve this? I used to do some informal red teaming, but am a bit out-of-touch with all things security at the moment.

If it doesn’t come out-of-the-box that way, would it be possible to export each pair of communicating devices into an external database, then monitor that so if a device increases the number of devices it’s communicated with very suddenly, that can be alerted on? Just thinking out loud, really. I also don’t know what system we’re using to analyse Suricata’s output. Sorry.

Thanks very much.

Tom

Chat GPT gave me this, does it look any good?

Thanks.

Tom

alert tcp any any → any any (msg:“GPL SCAN nmap XMAS or NULL scan”;
flow:stateless; flags:FPU; threshold: type threshold, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:900000001; rev:1;)

alert tcp any any → any [21,22,23,25] (msg:“Possible SYN scan to common services”;
flags:S; detection_filter: track by_src, count 10, seconds 15;
classtype:attempted-recon; sid:40000003; rev:1;)

alert tcp any any → any any (msg:“Possible SYN scan detected”; flags:S; window:1024;
threshold: type both, track by_src, count 20, seconds 3;
classtype:attempted-recon; sid:1000006; rev:1;)