Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
NMAP detection rules for Suricata in Github
« previous
next »
Print
Pages: [
1
]
Author
Topic: NMAP detection rules for Suricata in Github (Read 1342 times)
albovell
Newbie
Posts: 5
Karma: 0
A Finnish cybersecurity hobbyist and B.Eng (ICT)
NMAP detection rules for Suricata in Github
«
on:
May 09, 2024, 10:47:22 am »
Hi all,
in case anyone wants Suricata detection rules against different types of NMAP scans and scan speeds (T1-T5), I wrote a bundle into Github, which do just that. Tested in a SoHo / home environment:
https://github.com/aleksibovellan/opnsense-suricata-nmaps
Everyday scanning into our WAN interfaces does generate some extra log entries, somedays a lot, but at least I personally like to see who is trying to love my router without consent.
Be safe, everyone, and if you happen to like these rules, please consider to star the repository to make it worth the time. Thanks a lot.
- Aleksi
«
Last Edit: May 09, 2024, 11:26:15 am by albovell
»
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: NMAP detection rules for Suricata in Github
«
Reply #1 on:
May 09, 2024, 06:09:05 pm »
Thx, nice idea. But it would recognize every portscan, not only from nmap I'd guess?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
albovell
Newbie
Posts: 5
Karma: 0
A Finnish cybersecurity hobbyist and B.Eng (ICT)
Re: NMAP detection rules for Suricata in Github
«
Reply #2 on:
May 09, 2024, 06:29:13 pm »
That's pretty much correct, for example!
The -sX ("Christmas tree scan") rule detects if all the relevant TCP flags are set (flags:FPU), which is rare in normal traffic, and then takes into account the rate of such abnormal packets within a specific time. So, these packets don't need to be originated from NMAP scans specifically, but they could be transmitted from other scanners also.
Another example, the -f ("fragmented packet" scan) rule also detects some specific TCP flags (fragbits:M+D), which is rare, and then takes into account the rate of such abnormal packets. So these also don't need to be originated from NMAP specifically.
Window size 1024 seemed to be a common phenomena in many NMAP scan packets, especially in SYN (-sS) and ACK (-sA) scans, but perhaps other scanners might use that detail also in their packets.
So in short, these rules are built from various NMAP scan type packets captured and inspected in WireShark, but I assume other scanners could use similar packets also, which would make these rules work against them also. Hopefully this answered!
- Aleksi
«
Last Edit: May 09, 2024, 06:38:48 pm by albovell
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
NMAP detection rules for Suricata in Github