[Oisf-users] Suricata not detecting nmap scan?

[rmkml]

Good!

what's IPs appear on http-log please ? internal IPs ? external/nat IPs ?

What network interface Suricata listen please ? internal ? external ?
(maybe before NAT?)

HOME_NET and EXTERNAL_NET need to understand where Suricata listen...

Regards
@Rmkml


On Thu, 23 Oct 2014, Claudio Kuenzler wrote:

> Halleluja!
> 
> After having changed HOME_NET and EXTERNAL_NET to any:
> 
>     HOME_NET: "any"
> 
>     EXTERNAL_NET: "any"
> 
> ... Suricata is now successfully detecting the scan as alert and is writing the alert into the unified2 file.
> 
> Excellent advice rmkml, thanks.
> 
> Just for the better understanding: If the machine Suricata is installed on a machine which serves as firewall/router, should HOME_NET and EXTERNAL_NET generally be set to "any"?
> 
> On Thu, Oct 23, 2014 at 4:42 PM, rmkml <rmkml at yahoo.fr> wrote:
>       Could you check:
>       https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
>
>       Well, if I understand correctly, Suricata log http request without nfqueue, if yes: you don't need nfqueue ;) (for suricata)
>       or you need a "IPS" mode ?
>
>       could you change $HOME_NET to any ? (because translation)
>       Same with $EXTERNAL_NET to any please (for testing)
>
>       like this:
>       alert http any any -> any any (...
>
>       Regards
>       @Rmkml
> 
>
>       On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
> 
> 
>
>                   Thx Claudio,
> 
>
>             Well thank you! :)
>              
>
>                   ok, could you enable log on http/dns for testing please ? do you have log after ?
> 
>
>             Actually the logging of http works. Already before I disabled the checksum validation. I see typical requests to the web server.
>             And I also see my nmap request in the http log - that's why I'm confused. Suricata sees the traffic from nmap going by, logging it in the http log but does not alert?
>              
>
>                   where you start nmap please ? internal -> external ? external -> internal ?
> 
>
>             I launched nmap from my machine at home in internal network, being natted to an external IP and then straight to the server listening on a public IP, where suricata is installed. The http traffic is then natted from the public to an
>             internal ip.
>             So: internal -> NAT -> external -> NAT -> internal
>              
>
>                   what is your nfqueue configuraton please ?
> 
>
>             That's exactly the point where I am not sure. Do I have to add an ipfilter rule for the NFQUEUE or not?
>             Currently there is no NFQUEUE rule nor any special configuration I did on the machine (concerning NFQUEUE).
>              
>
>                   are you sure nmap check http please ? (http is avalaible ? fw is open ?)
> 
>
>             The nmap command is "nmap -Pn -sS -A -f TARGETIP". Yes, it does check for http information, as I can see in the output:
>
>             80/tcp   open   http    nginx
>             |_http-title: XXX
>             |_http-methods: No Allow or Public header in OPTIONS response (status code 200)
>             443/tcp  open   http    nginx
>             |_http-methods: No Allow or Public header in OPTIONS response (status code 400)
>             |_http-title: 400 The plain HTTP request was sent to HTTPS port
>             | ssl-cert: Subject: commonName=*.smartlinksa.ch/organizationName=XXXX/stateOrProvinceName=XXXX/countryName=CH
>
>              
>
>                   could you record network packet like full tcpdump please ?
> 
>
>             Will do that if necessary (and send you private). But I still have some hope its due to the "non-configured" NFQUEUE situation. I have so far believed that this would not be necessary for suricata to run, but maybe it is? As stated
>             above, that's the point
>             where I am not sure.
> 
> 
> 
>