<div dir="ltr"><div><div><div><div><div><div><div>Hello list<br><br></div>I'm currently testing Suricata and its responses to attacks and/or network scans.<br><br></div>I just did a simple nmap scan (over Internet) as seen on this page (<a href="http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation">http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation</a>) and suricata didn't log anything. <br></div>According to the rules, this should have been covered by emerging-scan.rules:<br><br>emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,<a href="http://doc.emergingthreats.net/2009358">doc.emergingthreats.net/2009358</a>; classtype:web-application-attack; sid:2009358; rev:5;)<br><br></div>... which is active in suricata.yaml:<br><br>grep emerging-scan.rules /etc/suricata/suricata.yaml <br> - emerging-scan.rules<br><br></div>What are the troubleshooting points I could look at? I also found some hints that the NIC of the server shouldn't do offloading. The current settings:<br><br>ethtool -k eth0<br>Features for eth0:<br>rx-checksumming: on<br>tx-checksumming: on<br>        tx-checksum-ipv4: on<br>        tx-checksum-unneeded: off [fixed]<br>        tx-checksum-ip-generic: off [fixed]<br>        tx-checksum-ipv6: on<br>        tx-checksum-fcoe-crc: off [fixed]<br>        tx-checksum-sctp: on<br>scatter-gather: on<br>        tx-scatter-gather: on<br>        tx-scatter-gather-fraglist: off [fixed]<br>tcp-segmentation-offload: on<br>        tx-tcp-segmentation: on<br>        tx-tcp-ecn-segmentation: off [fixed]<br>        tx-tcp6-segmentation: on<br>udp-fragmentation-offload: off [fixed]<br>generic-segmentation-offload: off<br>generic-receive-offload: off<br>large-receive-offload: off [fixed]<br>rx-vlan-offload: on<br>tx-vlan-offload: on<br>ntuple-filters: off [fixed]<br>receive-hashing: on<br>highdma: on [fixed]<br>rx-vlan-filter: on [fixed]<br>vlan-challenged: off [fixed]<br>tx-lockless: off [fixed]<br>netns-local: off [fixed]<br>tx-gso-robust: off [fixed]<br>tx-fcoe-segmentation: off [fixed]<br>fcoe-mtu: off [fixed]<br>tx-nocache-copy: on<br>loopback: off [fixed]<br><br></div>Suricata should have detected the nmap scan, right?<br>Any idea why it didnt?<br><br></div>thanks<br><div><div><br></div></div></div>