<div dir="ltr">OK I dsabled checksum validation, that's what you meant right?<br><div><br>stream:<br> memcap: 32mb<br> checksum-validation: no # reject wrong csums<br> inline: auto # auto will use inline mode in IPS mode, yes or no set it statically<br> reassembly:<br><br></div><div>Restarted suricata afterwards. Ran the same nmap command but again... no detection by suricata. <br></div><div><br>HOME_NET variable is set to the internal network range:<br><br> HOME_NET: "[<a href="http://192.168.1.0/24">192.168.1.0/24</a>]"<br> EXTERNAL_NET: "!$HOME_NET"<br><br></div><div>Something comes into my mind, but I'm not sure if that might solve it: Do I need to add the NFQUEUE iptables entry? Or should it work without it?<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 23, 2014 at 2:24 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Claudio,<br>
<br>
Could you try disabling cksum verification please ?<br>
Could you check your $HOME_NET / $EXTERNAL_NET please ?<br>
<br>
Regards<span class="HOEnZb"><font color="#888888"><br>
@Rmkml</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
On Thu, 23 Oct 2014, Claudio Kuenzler wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello list<br>
<br>
I'm currently testing Suricata and its responses to attacks and/or network scans.<br>
<br>
I just did a simple nmap scan (over Internet) as seen on this page (<a href="http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation" target="_blank">http://www.aldeid.com/wiki/<u></u>Suricata-vs-snort/Test-cases/<u></u>Evasion-techniques#Nmap_scan_<u></u>with_fragmentation</a>) and suricata didn't log anything.<br>
According to the rules, this should have been covered by emerging-scan.rules:<br>
<br>
emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase;<br>
http_user_agent; depth:46; reference:url,<a href="http://doc.emergingthreats.net/2009358" target="_blank">doc.<u></u>emergingthreats.net/2009358</a>; classtype:web-application-<u></u>attack; sid:2009358; rev:5;)<br>
<br>
... which is active in suricata.yaml:<br>
<br>
grep emerging-scan.rules /etc/suricata/suricata.yaml<br>
- emerging-scan.rules<br>
<br>
What are the troubleshooting points I could look at? I also found some hints that the NIC of the server shouldn't do offloading. The current settings:<br>
<br>
ethtool -k eth0<br>
Features for eth0:<br>
rx-checksumming: on<br>
tx-checksumming: on<br>
tx-checksum-ipv4: on<br>
tx-checksum-unneeded: off [fixed]<br>
tx-checksum-ip-generic: off [fixed]<br>
tx-checksum-ipv6: on<br>
tx-checksum-fcoe-crc: off [fixed]<br>
tx-checksum-sctp: on<br>
scatter-gather: on<br>
tx-scatter-gather: on<br>
tx-scatter-gather-fraglist: off [fixed]<br>
tcp-segmentation-offload: on<br>
tx-tcp-segmentation: on<br>
tx-tcp-ecn-segmentation: off [fixed]<br>
tx-tcp6-segmentation: on<br>
udp-fragmentation-offload: off [fixed]<br>
generic-segmentation-offload: off<br>
generic-receive-offload: off<br>
large-receive-offload: off [fixed]<br>
rx-vlan-offload: on<br>
tx-vlan-offload: on<br>
ntuple-filters: off [fixed]<br>
receive-hashing: on<br>
highdma: on [fixed]<br>
rx-vlan-filter: on [fixed]<br>
vlan-challenged: off [fixed]<br>
tx-lockless: off [fixed]<br>
netns-local: off [fixed]<br>
tx-gso-robust: off [fixed]<br>
tx-fcoe-segmentation: off [fixed]<br>
fcoe-mtu: off [fixed]<br>
tx-nocache-copy: on<br>
loopback: off [fixed]<br>
<br>
Suricata should have detected the nmap scan, right?<br>
Any idea why it didnt?<br>
<br>
thanks<br>
<br>
<br>
</blockquote>
</div></div></blockquote></div><br></div>