[Oisf-users] Suricata not detecting nmap scan?

Claudio Kuenzler ck at claudiokuenzler.com
Thu Oct 23 14:55:54 UTC 2014


Halleluja!

After having changed HOME_NET and EXTERNAL_NET to any:

    HOME_NET: "any"

    EXTERNAL_NET: "any"

... Suricata is now successfully detecting the scan as alert and is writing
the alert into the unified2 file.

Excellent advice rmkml, thanks.

Just for the better understanding: If the machine Suricata is installed on
a machine which serves as firewall/router, should HOME_NET and EXTERNAL_NET
generally be set to "any"?

On Thu, Oct 23, 2014 at 4:42 PM, rmkml <rmkml at yahoo.fr> wrote:

> Could you check:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/
> Setting_up_IPSinline_for_Linux
>
> Well, if I understand correctly, Suricata log http request without
> nfqueue, if yes: you don't need nfqueue ;) (for suricata)
> or you need a "IPS" mode ?
>
> could you change $HOME_NET to any ? (because translation)
> Same with $EXTERNAL_NET to any please (for testing)
>
> like this:
> alert http any any -> any any (...
>
> Regards
> @Rmkml
>
>
> On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>
>
>>
>>       Thx Claudio,
>>
>>
>> Well thank you! :)
>>
>>
>>       ok, could you enable log on http/dns for testing please ? do you
>> have log after ?
>>
>>
>> Actually the logging of http works. Already before I disabled the
>> checksum validation. I see typical requests to the web server.
>> And I also see my nmap request in the http log - that's why I'm confused.
>> Suricata sees the traffic from nmap going by, logging it in the http log
>> but does not alert?
>>
>>
>>       where you start nmap please ? internal -> external ? external ->
>> internal ?
>>
>>
>> I launched nmap from my machine at home in internal network, being natted
>> to an external IP and then straight to the server listening on a public IP,
>> where suricata is installed. The http traffic is then natted from the
>> public to an internal ip.
>> So: internal -> NAT -> external -> NAT -> internal
>>
>>
>>       what is your nfqueue configuraton please ?
>>
>>
>> That's exactly the point where I am not sure. Do I have to add an
>> ipfilter rule for the NFQUEUE or not?
>> Currently there is no NFQUEUE rule nor any special configuration I did on
>> the machine (concerning NFQUEUE).
>>
>>
>>       are you sure nmap check http please ? (http is avalaible ? fw is
>> open ?)
>>
>>
>> The nmap command is "nmap -Pn -sS -A -f TARGETIP". Yes, it does check for
>> http information, as I can see in the output:
>>
>> 80/tcp   open   http    nginx
>> |_http-title: XXX
>> |_http-methods: No Allow or Public header in OPTIONS response (status
>> code 200)
>> 443/tcp  open   http    nginx
>> |_http-methods: No Allow or Public header in OPTIONS response (status
>> code 400)
>> |_http-title: 400 The plain HTTP request was sent to HTTPS port
>> | ssl-cert: Subject: commonName=*.smartlinksa.ch/organizationName=XXXX/
>> stateOrProvinceName=XXXX/countryName=CH
>>
>>
>>
>>       could you record network packet like full tcpdump please ?
>>
>>
>> Will do that if necessary (and send you private). But I still have some
>> hope its due to the "non-configured" NFQUEUE situation. I have so far
>> believed that this would not be necessary for suricata to run, but maybe it
>> is? As stated above, that's the point
>> where I am not sure.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141023/42f21070/attachment-0002.html>


More information about the Oisf-users mailing list