Print Page - [ SOLVED ] Seems to drop, but still can execute nmap from internal IP!

Title: [ SOLVED ] Seems to drop, but still can execute nmap from internal IP!
Post by: gilberto.ferreira41 on April 01, 2026, 06:21:45 PM

2026-04-01T13:14:58-03:00
Notice
suricata
[Drop] [1:3400002:2] POSSBL PORT SCAN (NMAP -sS) [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.0.ABC:60788 -> 201.XXX.YYY.ZZZ:464

Suricata seems to be drop, but still can execute nmap 201.XXX.YYY.ZZZ, for 3 or 4 times...
It's never block.
IPS inline, with netmap IPS.
Hyperscan in use.
Dectect profile = medium.
It's not suppose to prevent the nmap execution?
Like, give the source a timeout or something like that?

What did I missed?

Title: Re: Seems to drop, but still can execute nmap from internal IP!
Post by: gilberto.ferreira41 on April 02, 2026, 01:39:03 PM

Any thoughts?

Title: [ SOLVED ] Re: Seems to drop, but still can execute nmap from internal IP!
Post by: gilberto.ferreira41 on April 02, 2026, 10:43:13 PM

I done it.
I have to had installed the suricata scenario to crowdsec.
And then create a custom aquisicion to crowdsec, named suricata.yaml, which has the eve log path.
I restarted the crowdsec process.
In the IDS/IPS service, I enable EVE log and BANG!
Now when some internal machine try to do nmap <EXTERNAL_IP> it's logged by suricata, and banned by crowdsec.!

OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: gilberto.ferreira41 on April 01, 2026, 06:21:45 PM