[Oisf-users] Suricata not detecting nmap scan?

Claudio Kuenzler ck at claudiokuenzler.com
Thu Oct 23 14:26:04 UTC 2014 

Thx Claudio,
>

Well thank you! :)


>
> ok, could you enable log on http/dns for testing please ? do you have log
> after ?
>

Actually the logging of http works. Already before I disabled the checksum
validation. I see typical requests to the web server.
And I also see my nmap request in the http log - that's why I'm confused.
Suricata sees the traffic from nmap going by, logging it in the http log
but does not alert?


>
> where you start nmap please ? internal -> external ? external -> internal ?
>

I launched nmap from my machine at home in internal network, being natted
to an external IP and then straight to the server listening on a public IP,
where suricata is installed. The http traffic is then natted from the
public to an internal ip.
So: internal -> NAT -> external -> NAT -> internal


>
> what is your nfqueue configuraton please ?
>

That's exactly the point where I am not sure. Do I have to add an ipfilter
rule for the NFQUEUE or not?
Currently there is no NFQUEUE rule nor any special configuration I did on
the machine (concerning NFQUEUE).


>
> are you sure nmap check http please ? (http is avalaible ? fw is open ?)
>

The nmap command is "nmap -Pn -sS -A -f TARGETIP". Yes, it does check for
http information, as I can see in the output:

80/tcp   open   http    nginx
|_http-title: XXX
|_http-methods: No Allow or Public header in OPTIONS response (status code
200)
443/tcp  open   http    nginx
|_http-methods: No Allow or Public header in OPTIONS response (status code
400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=*.
smartlinksa.ch/organizationName=XXXX/stateOrProvinceName=XXXX/countryName=CH



>
> could you record network packet like full tcpdump please ?


Will do that if necessary (and send you private). But I still have some
hope its due to the "non-configured" NFQUEUE situation. I have so far
believed that this would not be necessary for suricata to run, but maybe it
is? As stated above, that's the point where I am not sure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141023/910e4fa6/attachment-0002.html>

More information about the Oisf-users mailing list