[ SOLVED ] Seems to drop, but still can execute nmap from internal IP!

gilberto.ferreira41 · April 01, 2026, 06:21:45 PM

2026-04-01T13:14:58-03:00
Notice
suricata
[Drop] [1:3400002:2] POSSBL PORT SCAN (NMAP -sS) [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.0.ABC:60788 -> 201.XXX.YYY.ZZZ:464

Suricata seems to be drop, but still can execute nmap 201.XXX.YYY.ZZZ, for 3 or 4 times...
It's never block.
IPS inline, with netmap IPS.
Hyperscan in use.
Dectect profile = medium.
It's not suppose to prevent the nmap execution?
Like, give the source a timeout or something like that?

What did I missed?

gilberto.ferreira41 · April 02, 2026, 01:39:03 PM

Any thoughts?

gilberto.ferreira41 · April 02, 2026, 10:43:13 PM

I done it.
I have to had installed the suricata scenario to crowdsec.
And then create a custom aquisicion to crowdsec, named suricata.yaml, which has the eve log path.
I restarted the crowdsec process.
In the IDS/IPS service, I enable EVE log and BANG!
Now when some internal machine try to do nmap <EXTERNAL_IP> it's logged by suricata, and banned by crowdsec.!

[ SOLVED ] Seems to drop, but still can execute nmap from internal IP!

gilberto.ferreira41

April 01, 2026, 06:21:45 PM Last Edit: April 02, 2026, 10:43:46 PM by gilberto.ferreira41 Reason: SOLVED

gilberto.ferreira41

April 02, 2026, 01:39:03 PM #1

gilberto.ferreira41

April 02, 2026, 10:43:13 PM #2