Suricata-IDS and Nmap

Hello,
How can I block the Nmap scanner via Suricata-IDS? Any rule exist?

Thank you.

Have a look at: Try to check nmap scan with suricata

Seems like Emerging Threats have some nmap rules. You can try changing the alert keyword to drop.

No default rule?
Suricata-IDS can’t detect Nmap?

Hi Jason,

There is no one default rule because NMAP uses many different techniques to scan, so it wouldn’t be possible to do this with a single signature. You would likely need some combination of signatures + Suricata’s IDS decoder events. If you do find a specific NMAP technique (or any scanner, tool, vulnerability PoC &c) that we do not have Suricata coverage for, please submit a request for coverage to either support@emergingthreats.net or through our feedback portal at https://feedback.emergingthreats.net with the specific technique that is not detected, and ideally a PCAP of the traffic for us to analyze.

Best Regards,

image001.png

Thank you, but the Suricata-IDS could provide some of the rules against popular Nmap scan technique!!!
I think the Snort can detect some of the Nmap scans: https://frankfu.click/security/ids/how-to-detect-nmap-scan-using-snort.html#:~:text=IDENTIFY%20NMAP%20PING%20SCAN&text=Therefore%20be%20smart%20and%20add,rule%20file%20in%20text%20editor

Hi Jason,

Looking at these rules, I see a few problems:

image001.png

What problem? They are not working properly?

Looks like my email response got cutoff. Reposting the full response in the Discourse Web which explains it:

Hi Jason,

Looking at these rules, I see a few problems:

  1. They lock it down to a specific IP address, which yes could be used to detect scans, but might not be a good for the general ruleset from an FP perspective.
  2. They do not actually affirmatively identify NMAP, they may identify the technique, but it could be any tool using the same scan.
  3. There isn’t any thresholding, which will result in FP’s for at least some of these signatures.

Still, I’ll inquire with our threat research team to see if there’s anything we can do to detect the techniques in a reliable manner.

Regards,

1 Like

Thanks to you and Suricata-IDS team.