Suricata can not detect sA scan

phospherus · March 14, 2024, 1:57pm

This is the detailed content of the PCAP package

this is my rule

Why Suricata unable to detect sA scan

Andreas_Herz · March 14, 2024, 2:00pm

Please provide more details about your Suricata version, config and how you run it.
But I guess it’s related to the fact that the connection is from 192.168.161.129 and 192.168.161.130 so both IPs might be in your HOME_NET and thus excluded in your EXTERNAL_NET so that will never match at all.

phospherus · March 14, 2024, 2:21pm

thanks for your help

phospherus · March 14, 2024, 2:36pm

I still have a question
I ran Suricata with no rules,but the flow type data in eve.json shows that tcp_flags is 0.Is there any way to display the TCP flag.

here is my suricata.yaml
suricata.yaml (83.1 KB)

Andreas_Herz · April 25, 2024, 7:51pm

Can you provide a pcap with the example traffic?

Topic		Replies	Views
Suricata doesn't detect nmap scan suricata	1	340	December 12, 2023
Suricata not detecting some packets in a pcap Help rules , suricata , pcaps	4	480	August 10, 2023
Enabling Pcap based on source IP	1	405	January 11, 2021
I need help about Arachni scanner Rules	24	3389	October 8, 2020
How to write Suricata rules to detect UDP_Sweep scan with metasploit? Rules rules , suricata	3	887	January 2, 2023

Suricata can not detect sA scan

Related Topics