[Oisf-users] Suricata not detecting nmap scan?

Claudio Kuenzler ck at claudiokuenzler.com
Thu Oct 23 13:28:55 UTC 2014


OK I dsabled checksum validation, that's what you meant right?

stream:
  memcap: 32mb
  checksum-validation: no      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode,
yes or no set it statically
  reassembly:

Restarted suricata afterwards. Ran the same nmap command but again... no
detection by suricata.

HOME_NET variable is set to the internal network range:

    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Something comes into my mind, but I'm not sure if that might solve it: Do I
need to add the NFQUEUE iptables entry? Or should it work without it?


On Thu, Oct 23, 2014 at 2:24 PM, rmkml <rmkml at yahoo.fr> wrote:

> Hi Claudio,
>
> Could you try disabling cksum verification please ?
> Could you check your $HOME_NET / $EXTERNAL_NET please ?
>
> Regards
> @Rmkml
>
>
>
> On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>
>  Hello list
>>
>> I'm currently testing Suricata and its responses to attacks and/or
>> network scans.
>>
>> I just did a simple nmap scan (over Internet) as seen on this page (
>> http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/
>> Evasion-techniques#Nmap_scan_with_fragmentation) and suricata didn't log
>> anything.
>> According to the rules, this should have been covered by
>> emerging-scan.rules:
>>
>> emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any
>> (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting
>> Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b|
>> Nmap Scripting Engine"; nocase;
>> http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358;
>> classtype:web-application-attack; sid:2009358; rev:5;)
>>
>> ... which is active in suricata.yaml:
>>
>> grep emerging-scan.rules /etc/suricata/suricata.yaml
>>  - emerging-scan.rules
>>
>> What are the troubleshooting points I could look at? I also found some
>> hints that the NIC of the server shouldn't do offloading. The current
>> settings:
>>
>> ethtool -k eth0
>> Features for eth0:
>> rx-checksumming: on
>> tx-checksumming: on
>>         tx-checksum-ipv4: on
>>         tx-checksum-unneeded: off [fixed]
>>         tx-checksum-ip-generic: off [fixed]
>>         tx-checksum-ipv6: on
>>         tx-checksum-fcoe-crc: off [fixed]
>>         tx-checksum-sctp: on
>> scatter-gather: on
>>         tx-scatter-gather: on
>>         tx-scatter-gather-fraglist: off [fixed]
>> tcp-segmentation-offload: on
>>         tx-tcp-segmentation: on
>>         tx-tcp-ecn-segmentation: off [fixed]
>>         tx-tcp6-segmentation: on
>> udp-fragmentation-offload: off [fixed]
>> generic-segmentation-offload: off
>> generic-receive-offload: off
>> large-receive-offload: off [fixed]
>> rx-vlan-offload: on
>> tx-vlan-offload: on
>> ntuple-filters: off [fixed]
>> receive-hashing: on
>> highdma: on [fixed]
>> rx-vlan-filter: on [fixed]
>> vlan-challenged: off [fixed]
>> tx-lockless: off [fixed]
>> netns-local: off [fixed]
>> tx-gso-robust: off [fixed]
>> tx-fcoe-segmentation: off [fixed]
>> fcoe-mtu: off [fixed]
>> tx-nocache-copy: on
>> loopback: off [fixed]
>>
>> Suricata should have detected the nmap scan, right?
>> Any idea why it didnt?
>>
>> thanks
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141023/fe3cbb78/attachment-0002.html>


More information about the Oisf-users mailing list