[Oisf-users] Suricata not detecting nmap scan?

Claudio Kuenzler ck at claudiokuenzler.com
Thu Oct 23 15:40:28 UTC 2014 

The public IP's (of both remote requester and the public IP of the web
server) are shown in the http log.

Suricata is configured to listen on eth0 which is the interface facing
public traffic.
On Oct 23, 2014 5:08 PM, "rmkml" <rmkml at yahoo.fr> wrote:

> Good!
>
> what's IPs appear on http-log please ? internal IPs ? external/nat IPs ?
>
> What network interface Suricata listen please ? internal ? external ?
> (maybe before NAT?)
>
> HOME_NET and EXTERNAL_NET need to understand where Suricata listen...
>
> Regards
> @Rmkml
>
>
> On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>
>  Halleluja!
>>
>> After having changed HOME_NET and EXTERNAL_NET to any:
>>
>>     HOME_NET: "any"
>>
>>     EXTERNAL_NET: "any"
>>
>> ... Suricata is now successfully detecting the scan as alert and is
>> writing the alert into the unified2 file.
>>
>> Excellent advice rmkml, thanks.
>>
>> Just for the better understanding: If the machine Suricata is installed
>> on a machine which serves as firewall/router, should HOME_NET and
>> EXTERNAL_NET generally be set to "any"?
>>
>> On Thu, Oct 23, 2014 at 4:42 PM, rmkml <rmkml at yahoo.fr> wrote:
>>       Could you check:
>>       https://redmine.openinfosecfoundation.org/projects/suricata/wiki/
>> Setting_up_IPSinline_for_Linux
>>
>>       Well, if I understand correctly, Suricata log http request without
>> nfqueue, if yes: you don't need nfqueue ;) (for suricata)
>>       or you need a "IPS" mode ?
>>
>>       could you change $HOME_NET to any ? (because translation)
>>       Same with $EXTERNAL_NET to any please (for testing)
>>
>>       like this:
>>       alert http any any -> any any (...
>>
>>       Regards
>>       @Rmkml
>>
>>
>>       On Thu, 23 Oct 2014, Claudio Kuenzler wrote:
>>
>>
>>
>>                   Thx Claudio,
>>
>>
>>             Well thank you! :)
>>
>>
>>                   ok, could you enable log on http/dns for testing please
>> ? do you have log after ?
>>
>>
>>             Actually the logging of http works. Already before I disabled
>> the checksum validation. I see typical requests to the web server.
>>             And I also see my nmap request in the http log - that's why
>> I'm confused. Suricata sees the traffic from nmap going by, logging it in
>> the http log but does not alert?
>>
>>
>>                   where you start nmap please ? internal -> external ?
>> external -> internal ?
>>
>>
>>             I launched nmap from my machine at home in internal network,
>> being natted to an external IP and then straight to the server listening on
>> a public IP, where suricata is installed. The http traffic is then natted
>> from the public to an
>>             internal ip.
>>             So: internal -> NAT -> external -> NAT -> internal
>>
>>
>>                   what is your nfqueue configuraton please ?
>>
>>
>>             That's exactly the point where I am not sure. Do I have to
>> add an ipfilter rule for the NFQUEUE or not?
>>             Currently there is no NFQUEUE rule nor any special
>> configuration I did on the machine (concerning NFQUEUE).
>>
>>
>>                   are you sure nmap check http please ? (http is
>> avalaible ? fw is open ?)
>>
>>
>>             The nmap command is "nmap -Pn -sS -A -f TARGETIP". Yes, it
>> does check for http information, as I can see in the output:
>>
>>             80/tcp   open   http    nginx
>>             |_http-title: XXX
>>             |_http-methods: No Allow or Public header in OPTIONS response
>> (status code 200)
>>             443/tcp  open   http    nginx
>>             |_http-methods: No Allow or Public header in OPTIONS response
>> (status code 400)
>>             |_http-title: 400 The plain HTTP request was sent to HTTPS
>> port
>>             | ssl-cert: Subject: commonName=*.smartlinksa.ch/
>> organizationName=XXXX/stateOrProvinceName=XXXX/countryName=CH
>>
>>
>>
>>                   could you record network packet like full tcpdump
>> please ?
>>
>>
>>             Will do that if necessary (and send you private). But I still
>> have some hope its due to the "non-configured" NFQUEUE situation. I have so
>> far believed that this would not be necessary for suricata to run, but
>> maybe it is? As stated
>>             above, that's the point
>>             where I am not sure.
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141023/1a6566f1/attachment-0002.html>

More information about the Oisf-users mailing list