aleksibovellan / opnsense-suricata-nmaps

OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans
MIT License
55 stars 4 forks source link
crowdsec ids intrusion-detection intrusion-detection-system intrusion-prevention intrusion-prevention-system ips nmap nmap-results-analyse nmap-scan nmap-scans opnsense opnsense-firewall opnsense-plugins pfsense port-scan port-scanning suricata suricata-rule suricata-rules

OPNsense's Suricata IDS/IPS NMAP Detection Rules

UPDATED: VERSION 2.1 NOW DETECTS EVEN MORE NMAP SCAN TYPES: -sS, -sT, sA, -sX, -f and -sU

(Latest update: May 26th 2024 by Aleksi Bovellan)

Because there weren't many working detection alert rules against different types of NMAP port scans in OPNSense's Suricata IDS/IPS, or even in Suricata's ET Telemetry Pro ruleset (which can be activated for free at: https://shop.opnsense.com/product/etpro-telemetry/), especially against slower NMAP scan speeds like T1-T3, I wrote a bundle of my own Suricata detection rules to detect and log as many as possible between scan speeds of T1-T5.

These rules have been tested in a SoHo / home environment without problems. Latest versions tested: OPNsense 24.1.6 and Suricata 7.0.4.

screenshot

INCLUDED IN VERSION 2.1

Detection rules against the following commands:

GENERAL

These detection rules work by looking for specific NMAP packet window sizes, flags, port numbers, and known NMAP timing intervals.

The readability in Suricata's detection log have now also been improved for these rules, so it's more easy to instantly see the occured NMAP scan type. (See screenshot).

USAGE (EASY!)

IMPORTANT: If a previous customized "local.rules" file exists in your Suricata (/usr/local/etc/suricata/rules/local.rules), check for duplicate rule "sid" numbers in the existing one and this one, and modify them as you wish, so that there will be no duplicate rule numbers after this one.

KNOWN ISSUES

CROWDSEC COMPATIBILITY

If you are running both OPNSense/Suricata and CrowdSec plugin, CrowdSec automatically bans IP addresses which are collected from global threat intelligence sources, but it also bans IP addresses which are detected running port scans with scan speeds down to T2, but not down to T0-T1. Of course you can always whitelist your own attacking IP address in CrowdSec (config file at: /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml) for testing or permanent purposes, or otherwise you might get IP-banned from your own router by CrowdSec while testing different NMAP scans. CrowdSec ignores fragmented NMAP scans though. For more information check: https://docs.crowdsec.net/docs/next/whitelist/format/#whitelist-configuration-example