My rule:alert tcp any any → any any (flags:S;msg:“NMAP PORT SCAN”; threshold:type both, track by_dst, count 100, seconds 5; sid 100008; rev:1;)
No alerts When I run suricata in pcap live mode. Then I captured pcap from network card. Suricata generated alerts when I run suricata with the stored pcap file.
Suricata also generates alerts if I ajust count number and seconds number lower。
I don’t know what differences between pcap file mode and pcap live mode.
Help!!!
Hí,
The rule contains several errors, the most important:
tcp any any → any any (falgs:S;msg"NMAP PORT SCAN"; threshold:type both, track by_dst, count 100, seconds 5; sid 100008; rev:1;)
For the rule to work minimally:
alert tcp any any -> any any (flags:S;msg:"NMAP PORT SCAN"; threshold:type both, track by_dst, count 100, seconds 5; sid:100008; rev:1;)
I write wrongly. I modified rule. It doesn’t solve the problem.
The rule now will not give you an error. Now you have to review the logic of that rule.
I give you an example:
alert tcp any any -> any any (msg:"ET SCAN NMAP -sS"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60;classtype:attempted-recon; sid:xxxxxxx; rev:1;)
I want detect flood syn attack with the rule. My scan lasts 15 seconds and generates 3000+ tcp syn frames. Why doesn’t suricata generate alters with detecting traffic while it generates alerts with stored pcap files? Suricata also generates 7 alerts when I adjust count to 70 and seconds to 20. I want know if there is difference between file mode and pcap live mode in counting and timing.
I add log to print threshold info. As result, I find threshold entry’s time always equal to packet’s time in pcap live mode, while threshold entry’s time always equal to the first packet’s time before new entry generates in pcap file mode. It seems like suricata always generates new threshold entry while packet’s time changes in pcap live mode.