2026-04-01T13:14:58-03:00
Notice
suricata
[Drop] [1:3400002:2] POSSBL PORT SCAN (NMAP -sS) [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.0.ABC:60788 -> 201.XXX.YYY.ZZZ:464
Suricata seems to be drop, but still can execute nmap 201.XXX.YYY.ZZZ, for 3 or 4 times...
It's never block.
IPS inline, with netmap IPS.
Hyperscan in use.
Dectect profile = medium.
It's not suppose to prevent the nmap execution?
Like, give the source a timeout or something like that?
What did I missed?