Try to check nmap scan with suricata

Hello,
I’m trying to detect every nmap scan with suricata, at this moment I can detect nmap then is used with options -A or -T4.
I don’t see any log updating when nmap is used with options nmap -sS or nmap -p-

For example I have these rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 4096”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

or

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 3072”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

or

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:“ET SCAN NMAP -sS window 1024”; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Why suricata doesn’t update the log if I use nmap -sS … to the suricata server?
Thanks.
Regards.
Luke

What version are you running?
How did you configure Suricata?
How are the HOME_NET variables set and do you have example pcaps?

I would guess it’s just a configuration issue.

I am facing the same issue

If you have the same issue, please provide more details.

Hello,
I’ve recently started to use suricata, and while doing some tests I discover the same issue mentioned above. I am not an expert, but I would be happy to provide details if this could help. :slight_smile:

In that case feel free to provide the details as requested.

My version of Suricata is the 6.0.1, installed via the Debian backports repository on a RaspberryPiOS.
As for the setup I’ve just changed what follow:

In the file /etc/default/suricata I’ve set up the ethernet interface eth0;

In the file /etc/suricata/suricata.yaml I only have uncommented and modified:

  • HOME_NET: “[192.168.178.0/24]” (which is the ip range in my lan)
  • the interface for af-packet, pcap and pfring is eth0
  • the default-rule-path is /var/lib/suricata/rules which in the bottom line point to suricata.rules

I’ll try to provide a pcap record as soon as I can, thank you!

But Suricata itself does detect traffic or do other rules trigger?

Yes it does, as for Luke126 I tried with the -A or -T4 and it works but not with -sS or -p. Sometimes also the -A doesn’t work. If this could help, I try the scan from a Virtual Machine running Kali Linux on a computer in the same lan of the RaspberryPi.