[Oisf-users] How suricata detects portscans??

carlopmart carlopmart at gmail.com
Tue Apr 12 08:57:38 UTC 2011

Hi all,

  How suricata detects portscans?? For example, I have had a simple test 

[carlos at laptop sguil]$ nmap srvdns

Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-12 10:53 CEST
Nmap scan report for srvdns (
Host is up (0.0011s latency).
Not shown: 998 closed ports
22/tcp open  ssh
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds

  Alerts detected by suricata:

  04/12-10:53:13.589141  [**] [1:2010937:2] ET POLICY Suspicious inbound 
to mySQL port 3306  [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} ->
04/12-10:53:13.590083  [**] [1:1418:11] GPL SNMP request tcp  [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP} ->
04/12-10:53:13.590408  [**] [1:2010935:2] ET POLICY Suspicious inbound 
to MSSQL port 1433  [**] [Classification: Potentially Bad Traffic] 
[Priority: 2] {TCP} ->

  But, why not an alert is fired like a "portscan detected" or something 

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list