NMAP ARP Detection

Please include the following information with your help request:

  • Suricata version = 7.0.1
  • Operating system and/or Linux distribution = Ubuntu 22.0.3
  • How you installed Suricata (from source, packages, something else) = Installed from binary

I am trying to create a Suricata rule that generates an alert after detecting 600 arp packets. This is to detect Nmap ARP (-PR) scans.

The current rule that I am trying is
alert ip any any → any any (msg"ARP"; content:“|08 06|”; flowint:arpcount, +, 1; flowint:arpcount, >, 600; sid:7000005;)

another rule that I have tried is
alert ip any any → any any (msg"ARP2"; content:“|08 06|”; threshold: type threshold, track by_src, count 600, seconds 10; sid:7000006;)

However, both rules fail to generate any alerts… any ideas why? 08 06 was used to identify a packet as an arp packet.

In my opinion arp is an OSI layer 2 protocol and IP layer 3, so I think this will not work? Reference What is the Address Resolution Protocol (ARP)?


is used on TCP/UDP streams so above layer 4

You want it on the ethernet header…

Suricata only counts it for stats cf src/decode.h

        case ETHERNET_TYPE_ARP:
            StatsIncr(tv, dtv->counter_arp);