suricata not blocking nmap scan

[monkeydelufy]

hi guys,

using suricata and enable it on wan interface because my opnsense face to public directly using ip public.
now try to scan my ip opnsense using nmap from my pc its scan, no alert from suricata it self, tuning the rules still the same any idea why this happen, i have to protect my opnsense from threat.

still not found solution here any idea how its work or it only work for lan interface...?

opnsense 22.7.4 run on vmware esxi 7

[cookiemonster]

If suricata is monitoring the wan interface, it doesn't see the scan when you do it from your lan. Different interface.

[monkeydelufy]

If suricata is monitoring the wan interface, it doesn't see the scan when you do it from your lan. Different interface.

no i do it from internet not from lan side, my opnsense using public ip so itry to scan using another pc this pc not attached to opnsense network, so i run nmap then no alert found when scan finish.

[cookiemonster]

Emerging-scan.rules is one that has spotted ssh and nmap scans for me (I think).
So you need to verify the rules you have enabled and the type of scan you are performing.
A bit of backgound: https://forum.suricata.io/t/suricata-ids-and-nmap/506

[monkeydelufy]

Emerging-scan.rules is one that has spotted ssh and nmap scans for me (I think).
So you need to verify the rules you have enabled and the type of scan you are performing.
A bit of backgound: https://forum.suricata.io/t/suricata-ids-and-nmap/506

i only use nmap -sV target just like that, and emerging-scan has already rule for that but still not detection event alert not showing up, i don't know what i miss maybe some one has clue for it.

or maybe any other solution for port scanning or something similar.
thanks.

[siga75]

try a tcpdump on opnsense wan interface to actually see the scan is incoming, don't you have a modem/router in between which only NAT specific ports?

[monkeydelufy]

interface must be in wan because wan interface using public ip address