Hack3rcon
(Jason Long)
1
Hello,
How can I block the Nmap scanner via Suricata-IDS? Any rule exist?
Thank you.
syoc
2
Have a look at: Try to check nmap scan with suricata
Seems like Emerging Threats have some nmap rules. You can try changing the alert keyword to drop.
Hack3rcon
(Jason Long)
3
No default rule?
Suricata-IDS can’t detect Nmap?
1 Like
bwoodberg
(Brad Woodberg)
4
Hi Jason,
There is no one default rule because NMAP uses many different techniques to scan, so it wouldn’t be possible to do this with a single signature. You would likely need some combination of signatures + Suricata’s IDS decoder events. If you do find a specific NMAP technique (or any scanner, tool, vulnerability PoC &c) that we do not have Suricata coverage for, please submit a request for coverage to either support@emergingthreats.net or through our feedback portal at https://feedback.emergingthreats.net with the specific technique that is not detected, and ideally a PCAP of the traffic for us to analyze.
Best Regards,
Hack3rcon
(Jason Long)
5
bwoodberg
(Brad Woodberg)
6
Hi Jason,
Looking at these rules, I see a few problems:
Hack3rcon
(Jason Long)
7
What problem? They are not working properly?
bwoodberg
(Brad Woodberg)
8
Looks like my email response got cutoff. Reposting the full response in the Discourse Web which explains it:
Hi Jason,
Looking at these rules, I see a few problems:
- They lock it down to a specific IP address, which yes could be used to detect scans, but might not be a good for the general ruleset from an FP perspective.
- They do not actually affirmatively identify NMAP, they may identify the technique, but it could be any tool using the same scan.
- There isn’t any thresholding, which will result in FP’s for at least some of these signatures.
Still, I’ll inquire with our threat research team to see if there’s anything we can do to detect the techniques in a reliable manner.
Regards,
1 Like
Hack3rcon
(Jason Long)
9
Thanks to you and Suricata-IDS team.
