Hi Jason,
There is no one default rule because NMAP uses many different techniques to scan, so it wouldn’t be possible to do this with a single signature. You would likely need some combination of signatures + Suricata’s IDS decoder events. If you do find a specific NMAP technique (or any scanner, tool, vulnerability PoC &c) that we do not have Suricata coverage for, please submit a request for coverage to either support@emergingthreats.net or through our feedback portal at https://feedback.emergingthreats.net with the specific technique that is not detected, and ideally a PCAP of the traffic for us to analyze.
Best Regards,
