[Oisf-users] Suricata not detecting nmap scan?

Claudio Kuenzler ck at claudiokuenzler.com
Thu Oct 23 11:59:14 UTC 2014 

Hello list

I'm currently testing Suricata and its responses to attacks and/or network
scans.

I just did a simple nmap scan (over Internet) as seen on this page (
http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation)
and suricata didn't log anything.
According to the rules, this should have been covered by
emerging-scan.rules:

emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET
SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)";
flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap
Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,
doc.emergingthreats.net/2009358; classtype:web-application-attack;
sid:2009358; rev:5;)

... which is active in suricata.yaml:

grep emerging-scan.rules /etc/suricata/suricata.yaml
 - emerging-scan.rules

What are the troubleshooting points I could look at? I also found some
hints that the NIC of the server shouldn't do offloading. The current
settings:

ethtool -k eth0
Features for eth0:
rx-checksumming: on
tx-checksumming: on
        tx-checksum-ipv4: on
        tx-checksum-unneeded: off [fixed]
        tx-checksum-ip-generic: off [fixed]
        tx-checksum-ipv6: on
        tx-checksum-fcoe-crc: off [fixed]
        tx-checksum-sctp: on
scatter-gather: on
        tx-scatter-gather: on
        tx-scatter-gather-fraglist: off [fixed]
tcp-segmentation-offload: on
        tx-tcp-segmentation: on
        tx-tcp-ecn-segmentation: off [fixed]
        tx-tcp6-segmentation: on
udp-fragmentation-offload: off [fixed]
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off [fixed]
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off [fixed]
receive-hashing: on
highdma: on [fixed]
rx-vlan-filter: on [fixed]
vlan-challenged: off [fixed]
tx-lockless: off [fixed]
netns-local: off [fixed]
tx-gso-robust: off [fixed]
tx-fcoe-segmentation: off [fixed]
fcoe-mtu: off [fixed]
tx-nocache-copy: on
loopback: off [fixed]

Suricata should have detected the nmap scan, right?
Any idea why it didnt?

thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141023/508b23ee/attachment.html>

More information about the Oisf-users mailing list