[Oisf-users] Suricata not detecting nmap scan?
rmkml
rmkml at yahoo.fr
Thu Oct 23 14:11:16 UTC 2014
Thx Claudio,
ok, could you enable log on http/dns for testing please ? do you have log after ?
where you start nmap please ? internal -> external ? external -> internal ?
what is your nfqueue configuraton please ?
are you sure nmap check http please ? (http is avalaible ? fw is open ?)
could you record network packet like full tcpdump please ?
Regards
@Rmkml
On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
> OK I dsabled checksum validation, that's what you meant right?
>
> stream:
> memcap: 32mb
> checksum-validation: no # reject wrong csums
> inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
> reassembly:
>
> Restarted suricata afterwards. Ran the same nmap command but again... no detection by suricata.
>
> HOME_NET variable is set to the internal network range:
>
> HOME_NET: "[192.168.1.0/24]"
> EXTERNAL_NET: "!$HOME_NET"
>
> Something comes into my mind, but I'm not sure if that might solve it: Do I need to add the NFQUEUE iptables entry? Or should it work without it?
>
>
> On Thu, Oct 23, 2014 at 2:24 PM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Claudio,
>
> Could you try disabling cksum verification please ?
> Could you check your $HOME_NET / $EXTERNAL_NET please ?
>
> Regards
> @Rmkml
>
>
> On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>
> Hello list
>
> I'm currently testing Suricata and its responses to attacks and/or network scans.
>
> I just did a simple nmap scan (over Internet) as seen on this page (http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation) and suricata didn't log anything.
> According to the rules, this should have been covered by emerging-scan.rules:
>
> emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting
> Engine"; nocase;
> http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5;)
>
> ... which is active in suricata.yaml:
>
> grep emerging-scan.rules /etc/suricata/suricata.yaml
> - emerging-scan.rules
>
> What are the troubleshooting points I could look at? I also found some hints that the NIC of the server shouldn't do offloading. The current settings:
>
> ethtool -k eth0
> Features for eth0:
> rx-checksumming: on
> tx-checksumming: on
> tx-checksum-ipv4: on
> tx-checksum-unneeded: off [fixed]
> tx-checksum-ip-generic: off [fixed]
> tx-checksum-ipv6: on
> tx-checksum-fcoe-crc: off [fixed]
> tx-checksum-sctp: on
> scatter-gather: on
> tx-scatter-gather: on
> tx-scatter-gather-fraglist: off [fixed]
> tcp-segmentation-offload: on
> tx-tcp-segmentation: on
> tx-tcp-ecn-segmentation: off [fixed]
> tx-tcp6-segmentation: on
> udp-fragmentation-offload: off [fixed]
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off [fixed]
> rx-vlan-offload: on
> tx-vlan-offload: on
> ntuple-filters: off [fixed]
> receive-hashing: on
> highdma: on [fixed]
> rx-vlan-filter: on [fixed]
> vlan-challenged: off [fixed]
> tx-lockless: off [fixed]
> netns-local: off [fixed]
> tx-gso-robust: off [fixed]
> tx-fcoe-segmentation: off [fixed]
> fcoe-mtu: off [fixed]
> tx-nocache-copy: on
> loopback: off [fixed]
>
> Suricata should have detected the nmap scan, right?
> Any idea why it didnt?
>
> thanks
>
>
>
>
>
More information about the Oisf-users
mailing list