When using the default rules in Suricata (suricata.rules) and doing an intense scan of the network it’s monitoring with Nmap (nmap -T4 -A -v ip address), I get no alerts and I heard that the default rules SHOULD ALREADY include signatures able to detect most common types of scans.
Does anyone know what I’m doing wrong or what am I missing?
What version are you using?
How does your suricata.yaml look like?
How do you run Suricata?
Did you use
suricata-update to fetch some initial rules like ETOpen?
-I’m using using version 6.0.9
-I run Suricata normally along with Wazuh components (indexer, manager, dashboard) through an ubuntu server as a virtual machine.
-I have used the command suricata-update at least once every time before I start the service.
-Because I am using a server version of ubuntu it doesn’t support the ability to copy and paste contents from virtual to host. But basically the only things I have changed in suricata.yaml are the variables of: HOME_NET, the interface in the af-packet section, default-rule path and rule-files. Also because of a warning I get when I do a syntax test for the file, I also enable the sip, mqtt and rdp variables, as the warning messages recommend that I do so.
I WANT TO MAKE IT CLEAR THAT I AM GETTING ALERTS, JUST NOT FOR NMAP SCANS.
Which exact ruleset are you using and which rules do you expect to trigger?
Standard scans are not that interesting because they’re just noise mostly. But more relevant ones are covered by ETOpen for example, if you look into the ET SCAN category.
I’m using the ETOpen ruleset and I’ve been trying to mostly do intense scans ( nmap -T4 -A -v ip-address) to trigger an alert.
I don’t know what rules to expect to be triggered because they’ve never been triggered, all I’ve been able to do thus far is to speculate by analyzing the .rules file (suricata.rules).
I think it’s worth also mentioning that I use the Nmap tool and the Ubuntu server on the same network, so it would be traffic coming from within the HOME_NET but I think that shouldn’t be a problem because I’ve noticed that some rules take into account packages coming from within, yet they don’t trigger alerts.
I’m a team member on the Emerging Threats team. If you are able to share a pcap of the nmap can, I’ll be more than happy to let you know why rules aren’t firing, or create new ones to ensure we have coverage!
Since I’m using Zenmap GUI on a Windows machine, it only lets me save the scan in .xml or .nmap format. Let me know if you need it in .pcap format.
Here it is:
scan.zip (46.0 KB)