Why didn’t Suricata (7.0.10) detect an Nmap -sS scan (and other aggressive Nmap scans like nmap -A -p-) from an Attacker VM to a Victim VM, with Suricata running on a VM acting as an IDS? All three VMs are on the bridge adapter, and the IDS VM has promiscuous mode enabled. Am I doing something wrong?
Hi,
Thanks for posting.
Are you 100% certain that the VM hosting Suricata is receiving the scan traffic?
What rule(s) are you using to detect the scan?
100% sure because I used Wireshark to look at the traffic. Are the default rules not detecting it?
I don’t know what ruleset you’re using – can you describe those and list the rule(s) you’re expecting to catch the scan?
Chances are you’re on the same subnet. For purely testing I’ve found replacing, in the suricata.rules file, all $HOME_NET and $EXTERNAL_NET with any any:
cat /tmp/suricata.rules | sed -e 's/$HOME_NET/any/g' -e 's/$EXTERNAL_NET/any/g' > /opt/suricata/etc/suricata/rules/suricata.rules
works well.