aleksibovellan / opnsense-suricata-nmaps Goto Github PK
View Code? Open in Web Editor NEWOPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans
License: MIT License
OPNSense's Suricata IDS/IPS Detection Rules Against NMAP Scans
License: MIT License
Taking a quick look at your rules I see that you are using the local sid space. Before considering these rules for the Suricata Rule Index (https://github.com/OISF/suricata-intel-index), they should use a unique range.
I could provide you a SID allocation starting at 3400000, with 100000 SIDs? Would that work? That would also get you listed over at https://sidallocation.org.
Thanks.
I am wondering what the relation of your rules to OPNsense is. Are there adapted from anything they provide or did you just name the repo "OPNsense's ... Rules" because they are meant to be used with OPNsense?
I am asking because I am unsure how to attribute the ruleset. It would be nice if you could clarify. Thanks!
Hi!
I'm having error message when trying this local.rules with OPNsense 24.7.2-amd64.
Just download file with "curl -O https://raw.githubusercontent.com/aleksibovellan/opnsense-suricata-nmaps/main/local.rules"
Take a look to the file and the first line it's ok:
# OPNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans
Go to Administration --> Rules, and click Apply
And just after that, I can see this error in Log File:
<Error> -- error parsing signature "PNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans" from file /usr/local/etc/suricata/opnsense.rules/local.rules at line 1
<Error> -- no terminating ";" found
Now take a look again to local.rules and voila:
PNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans
Something is truncating the file after clicking Apply.
Has anyone faced this problem?
This out:
$ nmap 172.19.0.2
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-05 17:08 -03
Nmap scan report for 172.19.10.2
Host is up (0.024s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1198/tcp open cajo-discovery
Nmap done: 1 IP address (1 host up) scanned in 4.80 seconds
Logs:
09/05/2024-17:11:34.995490 [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42088 -> 172.19.0.2:4444
09/05/2024-17:11:35.255068 [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42090 -> 172.19.10.2:4444
I'm running test in with suricata -T and dont show errors, but the rule dont recongize nmap scan.
Obs.: I test with -sS, etc
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.