[Oisf-users] Suricata not detecting nmap scan?

rmkml rmkml at yahoo.fr
Thu Oct 23 14:11:16 UTC 2014


Thx Claudio,

ok, could you enable log on http/dns for testing please ? do you have log after ?

where you start nmap please ? internal -> external ? external -> internal ?

what is your nfqueue configuraton please ?

are you sure nmap check http please ? (http is avalaible ? fw is open ?)

could you record network packet like full tcpdump please ?

Regards
@Rmkml


On Thu, 23 Oct 2014, Claudio Kuenzler wrote:

> OK I dsabled checksum validation, that's what you meant right?
> 
> stream:
>   memcap: 32mb
>   checksum-validation: no      # reject wrong csums
>   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
>   reassembly:
> 
> Restarted suricata afterwards. Ran the same nmap command but again... no detection by suricata.
> 
> HOME_NET variable is set to the internal network range:
> 
>     HOME_NET: "[192.168.1.0/24]"
>     EXTERNAL_NET: "!$HOME_NET"
> 
> Something comes into my mind, but I'm not sure if that might solve it: Do I need to add the NFQUEUE iptables entry? Or should it work without it?
> 
> 
> On Thu, Oct 23, 2014 at 2:24 PM, rmkml <rmkml at yahoo.fr> wrote:
>       Hi Claudio,
>
>       Could you try disabling cksum verification please ?
>       Could you check your $HOME_NET / $EXTERNAL_NET please ?
>
>       Regards
>       @Rmkml
> 
>
>       On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>
>             Hello list
>
>             I'm currently testing Suricata and its responses to attacks and/or network scans.
>
>             I just did a simple nmap scan (over Internet) as seen on this page (http://www.aldeid.com/wiki/Suricata-vs-snort/Test-cases/Evasion-techniques#Nmap_scan_with_fragmentation) and suricata didn't log anything.
>             According to the rules, this should have been covered by emerging-scan.rules:
>
>             emerging-scan.rules:alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting
>             Engine"; nocase;
>             http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5;)
>
>             ... which is active in suricata.yaml:
>
>             grep emerging-scan.rules /etc/suricata/suricata.yaml
>              - emerging-scan.rules
>
>             What are the troubleshooting points I could look at? I also found some hints that the NIC of the server shouldn't do offloading. The current settings:
>
>             ethtool -k eth0
>             Features for eth0:
>             rx-checksumming: on
>             tx-checksumming: on
>                     tx-checksum-ipv4: on
>                     tx-checksum-unneeded: off [fixed]
>                     tx-checksum-ip-generic: off [fixed]
>                     tx-checksum-ipv6: on
>                     tx-checksum-fcoe-crc: off [fixed]
>                     tx-checksum-sctp: on
>             scatter-gather: on
>                     tx-scatter-gather: on
>                     tx-scatter-gather-fraglist: off [fixed]
>             tcp-segmentation-offload: on
>                     tx-tcp-segmentation: on
>                     tx-tcp-ecn-segmentation: off [fixed]
>                     tx-tcp6-segmentation: on
>             udp-fragmentation-offload: off [fixed]
>             generic-segmentation-offload: off
>             generic-receive-offload: off
>             large-receive-offload: off [fixed]
>             rx-vlan-offload: on
>             tx-vlan-offload: on
>             ntuple-filters: off [fixed]
>             receive-hashing: on
>             highdma: on [fixed]
>             rx-vlan-filter: on [fixed]
>             vlan-challenged: off [fixed]
>             tx-lockless: off [fixed]
>             netns-local: off [fixed]
>             tx-gso-robust: off [fixed]
>             tx-fcoe-segmentation: off [fixed]
>             fcoe-mtu: off [fixed]
>             tx-nocache-copy: on
>             loopback: off [fixed]
>
>             Suricata should have detected the nmap scan, right?
>             Any idea why it didnt?
>
>             thanks
> 
> 
> 
> 
>


More information about the Oisf-users mailing list