I run a small hosting company and I’ve leased a /24 subnet and my IPs provider has very strict rules regarding abuses.
Can anyone help me with some example rules to detect brute force attacks and port scanning going outside of our network to the internet?
We’re running proxmox on Debina 10 with suricata installed.
It works just fine using ET Rules to detect outbound SSH scans but I still have issues blocking port scanning outbound.
Any tip for this achievement?
You could write your own signatures using the threshold feature: 6.31. Thresholding Keywords — Suricata 6.0.4 documentation
But this might also be easier done within a rate limit in any firewall you have in place as well
I cannot figure out how to track number of outbound connections only if they match exactly same port.
What I mean is that I should not provide any port number to destination but suricata itself need to be able to figure out how many outbound connections are made to port 22, 3306 etc.
Alerting/dropping traffic based on number of IPs or ports connected to within a time frame is a heuristics based approach and does not play to the strengths of Suricata IMO. There are some tools at your disposal like thresholding, flowbits, flowint and datasets, though I think that your specific use case is hard to implement.