English Forums > Intrusion Detection and Prevention
suricata not blocking nmap scan
monkeydelufy:
hi guys,
using suricata and enable it on wan interface because my opnsense face to public directly using ip public.
now try to scan my ip opnsense using nmap from my pc its scan, no alert from suricata it self, tuning the rules still the same any idea why this happen, i have to protect my opnsense from threat.
still not found solution here any idea how its work or it only work for lan interface...?
opnsense 22.7.4 run on vmware esxi 7
cookiemonster:
If suricata is monitoring the wan interface, it doesn't see the scan when you do it from your lan. Different interface.
monkeydelufy:
--- Quote from: cookiemonster on September 23, 2022, 11:03:35 pm ---If suricata is monitoring the wan interface, it doesn't see the scan when you do it from your lan. Different interface.
--- End quote ---
no i do it from internet not from lan side, my opnsense using public ip so itry to scan using another pc this pc not attached to opnsense network, so i run nmap then no alert found when scan finish.
cookiemonster:
Emerging-scan.rules is one that has spotted ssh and nmap scans for me (I think).
So you need to verify the rules you have enabled and the type of scan you are performing.
A bit of backgound: https://forum.suricata.io/t/suricata-ids-and-nmap/506
monkeydelufy:
--- Quote from: cookiemonster on September 24, 2022, 10:57:51 pm ---Emerging-scan.rules is one that has spotted ssh and nmap scans for me (I think).
So you need to verify the rules you have enabled and the type of scan you are performing.
A bit of backgound: https://forum.suricata.io/t/suricata-ids-and-nmap/506
--- End quote ---
i only use nmap -sV target just like that, and emerging-scan has already rule for that but still not detection event alert not showing up, i don't know what i miss maybe some one has clue for it.
or maybe any other solution for port scanning or something similar.
thanks.
Navigation
[0] Message Index
[#] Next page
Go to full version