Suricata can not detect sA scan

This is the detailed content of the PCAP package


this is my rule

Why Suricata unable to detect sA scan

Please provide more details about your Suricata version, config and how you run it.
But I guess it’s related to the fact that the connection is from 192.168.161.129 and 192.168.161.130 so both IPs might be in your HOME_NET and thus excluded in your EXTERNAL_NET so that will never match at all.

thanks for your help

I still have a question
I ran Suricata with no rules,but the flow type data in eve.json shows that tcp_flags is 0.Is there any way to display the TCP flag.


here is my suricata.yaml
suricata.yaml (83.1 KB)