Seems to drop, but still can execute nmap from internal IP!

Started by gilberto.ferreira41, April 01, 2026, 06:21:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 01, 2026, 06:21:45 PM Last Edit: April 01, 2026, 07:19:34 PM by gilberto.ferreira41 Reason: add information
2026-04-01T13:14:58-03:00
Notice
suricata
[Drop] [1:3400002:2] POSSBL PORT SCAN (NMAP -sS) [Classification: Attempted Information Leak] [Priority: 2] {TCP} 172.16.0.ABC:60788 -> 201.XXX.YYY.ZZZ:464

Suricata seems to be drop, but still can execute nmap 201.XXX.YYY.ZZZ, for 3 or 4 times...
It's never block.
IPS inline, with netmap IPS.
Hyperscan in use.
Dectect profile = medium.
It's not suppose to prevent the nmap execution?
Like, give the source a timeout or something like that?

What did I missed?
Print
Go Up Pages1
User actions