Try to check nmap scan with suricata

Hello,
I’m trying to detect every nmap scan with suricata, at this moment I can detect nmap then is used with options -A or -T4.
I don’t see any log updating when nmap is used with options nmap -sS or nmap -p-

For example I have these rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 4096”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

or

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 3072”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

or

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 1024”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Why suricata doesn’t update the log if I use nmap -sS … to the suricata server?
Thanks.
Regards.
Luke

What version are you running?
How did you configure Suricata?
How are the HOME_NET variables set and do you have example pcaps?

I would guess it’s just a configuration issue.

I am facing the same issue

If you have the same issue, please provide more details.

Hello,
I’ve recently started to use suricata, and while doing some tests I discover the same issue mentioned above. I am not an expert, but I would be happy to provide details if this could help.

In that case feel free to provide the details as requested.

My version of Suricata is the 6.0.1, installed via the Debian backports repository on a RaspberryPiOS.
As for the setup I’ve just changed what follow:

In the file /etc/default/suricata I’ve set up the ethernet interface eth0;

In the file /etc/suricata/suricata.yaml I only have uncommented and modified:

• HOME_NET: “[192.168.178.0/24]” (which is the ip range in my lan)
• the interface for af-packet, pcap and pfring is eth0
• the default-rule-path is /var/lib/suricata/rules which in the bottom line point to suricata.rules

I’ll try to provide a pcap record as soon as I can, thank you!

But Suricata itself does detect traffic or do other rules trigger?

Yes it does, as for Luke126 I tried with the -A or -T4 and it works but not with -sS or -p. Sometimes also the -A doesn’t work. If this could help, I try the scan from a Virtual Machine running Kali Linux on a computer in the same lan of the RaspberryPi.

Has anyone figured it out yet?

nmap -sS is a syn scan. So it only uses the SYN part of the communication and does not require an ACK. ACK is something from your server side and therefore would be detected and leed to a trigger.
-sS is a safe way for information gathering. -p probably uses a SYN scan also and does not require an ACK and therefore also goes undetected.
Open for better suggestions…