NMAP ARP Detection

dominiclee · September 21, 2023, 2:53am

Please include the following information with your help request:

Suricata version = 7.0.1

Operating system and/or Linux distribution = Ubuntu 22.0.3

How you installed Suricata (from source, packages, something else) = Installed from binary

I am trying to create a Suricata rule that generates an alert after detecting 600 arp packets. This is to detect Nmap ARP (-PR) scans.

The current rule that I am trying is
alert ip any any → any any (msg"ARP"; content:“|08 06|”; flowint:arpcount, +, 1; flowint:arpcount, >, 600; sid:7000005;)

another rule that I have tried is
alert ip any any → any any (msg"ARP2"; content:“|08 06|”; threshold: type threshold, track by_src, count 600, seconds 10; sid:7000006;)

However, both rules fail to generate any alerts… any ideas why? 08 06 was used to identify a packet as an arp packet.

atbohmer · September 21, 2023, 7:03pm

In my opinion arp is an OSI layer 2 protocol and IP layer 3, so I think this will not work? Reference What is the Address Resolution Protocol (ARP)?

Philippe_Antoine · September 25, 2023, 7:22am

is used on TCP/UDP streams so above layer 4

You want it on the ethernet header…

Suricata only counts it for stats cf src/decode.h

        case ETHERNET_TYPE_ARP:
            StatsIncr(tv, dtv->counter_arp);
            break;

Topic		Replies	Views
Pcap live mode no alert Help community	5	632	October 23, 2021
Try to check nmap scan with suricata Rules	10	7179	July 4, 2022
Suricata dos rule help Help rules , suricata	4	503	August 3, 2023
Testing ping alert rule Rules suricata	5	3287	July 27, 2022
Suricata ruleset help Help	7	603	July 14, 2023

NMAP ARP Detection

Related Topics