Outbound: Port Scanning & Brute Force detection

Hello!
I run a small hosting company and I’ve leased a /24 subnet and my IPs provider has very strict rules regarding abuses.
Can anyone help me with some example rules to detect brute force attacks and port scanning going outside of our network to the internet?
We’re running proxmox on Debina 10 with suricata installed.
Thank you!

Take a look here.

1 Like

It works just fine using ET Rules to detect outbound SSH scans but I still have issues blocking port scanning outbound.
Any tip for this achievement?
Thank you!

You could write your own signatures using the threshold feature: 6.31. Thresholding Keywords — Suricata 6.0.4 documentation

But this might also be easier done within a rate limit in any firewall you have in place as well

Hi, Andreas!
I cannot figure out how to track number of outbound connections only if they match exactly same port.
What I mean is that I should not provide any port number to destination but suricata itself need to be able to figure out how many outbound connections are made to port 22, 3306 etc.
Thank you!

Alerting/dropping traffic based on number of IPs or ports connected to within a time frame is a heuristics based approach and does not play to the strengths of Suricata IMO. There are some tools at your disposal like thresholding, flowbits, flowint and datasets, though I think that your specific use case is hard to implement.