NMAP detection rules for Suricata in Github

[albovell]

Hi all,

in case anyone wants Suricata detection rules against different types of NMAP scans and scan speeds (T1-T5), I wrote a bundle into Github, which do just that. Tested in a SoHo / home environment:

https://github.com/aleksibovellan/opnsense-suricata-nmaps

Everyday scanning into our WAN interfaces does generate some extra log entries, somedays a lot, but at least I personally like to see who is trying to love my router without consent.

Be safe, everyone, and if you happen to like these rules, please consider to star the repository to make it worth the time. Thanks a lot.

- Aleksi

[mimugmail]

Thx, nice idea. But it would recognize every portscan, not only from nmap I'd guess?

[albovell]

That's pretty much correct, for example!

The -sX ("Christmas tree scan") rule detects if all the relevant TCP flags are set (flags:FPU), which is rare in normal traffic, and then takes into account the rate of such abnormal packets within a specific time. So, these packets don't need to be originated from NMAP scans specifically, but they could be transmitted from other scanners also.

Another example, the -f ("fragmented packet" scan) rule also detects some specific TCP flags (fragbits:M+D), which is rare, and then takes into account the rate of such abnormal packets. So these also don't need to be originated from NMAP specifically.

Window size 1024 seemed to be a common phenomena in many NMAP scan packets, especially in SYN (-sS) and ACK (-sA) scans, but perhaps other scanners might use that detail also in their packets.

So in short, these rules are built from various NMAP scan type packets captured and inspected in WireShark, but I assume other scanners could use similar packets also, which would make these rules work against them also. Hopefully this answered! 8)

- Aleksi