Suricata-IDS and Nmap

Hack3rcon · August 16, 2020, 8:48pm

Hello,
How can I block the Nmap scanner via Suricata-IDS? Any rule exist?

Thank you.

syoc · August 18, 2020, 6:43am

Have a look at: Try to check nmap scan with suricata

Seems like Emerging Threats have some nmap rules. You can try changing the alert keyword to drop.

Hack3rcon · August 18, 2020, 9:23am

No default rule?
Suricata-IDS can’t detect Nmap?

bwoodberg · August 18, 2020, 11:38am

Hi Jason,

There is no one default rule because NMAP uses many different techniques to scan, so it wouldn’t be possible to do this with a single signature. You would likely need some combination of signatures + Suricata’s IDS decoder events. If you do find a specific NMAP technique (or any scanner, tool, vulnerability PoC &c) that we do not have Suricata coverage for, please submit a request for coverage to either support@emergingthreats.net or through our feedback portal at https://feedback.emergingthreats.net with the specific technique that is not detected, and ideally a PCAP of the traffic for us to analyze.

Best Regards,

Hack3rcon · August 19, 2020, 9:15am

Thank you, but the Suricata-IDS could provide some of the rules against popular Nmap scan technique!!!
I think the Snort can detect some of the Nmap scans: https://frankfu.click/security/ids/how-to-detect-nmap-scan-using-snort.html#:~:text=IDENTIFY%20NMAP%20PING%20SCAN&text=Therefore%20be%20smart%20and%20add,rule%20file%20in%20text%20editor

bwoodberg · August 19, 2020, 12:38pm

Hi Jason,

Looking at these rules, I see a few problems:

Hack3rcon · August 19, 2020, 6:06pm

What problem? They are not working properly?

bwoodberg · August 19, 2020, 6:36pm

Looks like my email response got cutoff. Reposting the full response in the Discourse Web which explains it:

Hi Jason,

Looking at these rules, I see a few problems:

They lock it down to a specific IP address, which yes could be used to detect scans, but might not be a good for the general ruleset from an FP perspective.
They do not actually affirmatively identify NMAP, they may identify the technique, but it could be any tool using the same scan.
There isn’t any thresholding, which will result in FP’s for at least some of these signatures.

Still, I’ll inquire with our threat research team to see if there’s anything we can do to detect the techniques in a reliable manner.

Regards,

Hack3rcon · August 20, 2020, 9:14am

Thanks to you and Suricata-IDS team.

Topic		Replies	Views
Suricata doesn't detect nmap scan suricata	1	644	December 12, 2023
Suricata default rules (suricata.rules) don't alert about nmap scans? Rules rules , suricata	6	1599	January 30, 2023
Nmap, Metasploit and other hacking tools Rules	6	528	November 19, 2023
NMAP detection rules for Suricata in GitHub Rules ips , suricata , opnsense	6	944	May 26, 2024
Nmap Detection via Suricata Rules suricata	1	5446	May 2, 2022

Suricata-IDS and Nmap

Related topics