aleksibovellan / opnsense-suricata-nmaps Goto Github PK

Taking a quick look at your rules I see that you are using the local sid space. Before considering these rules for the Suricata Rule Index (https://github.com/OISF/suricata-intel-index), they should use a unique range.

I could provide you a SID allocation starting at 3400000, with 100000 SIDs? Would that work? That would also get you listed over at https://sidallocation.org.

Thanks.

I am wondering what the relation of your rules to OPNsense is. Are there adapted from anything they provide or did you just name the repo "OPNsense's ... Rules" because they are meant to be used with OPNsense?

I am asking because I am unsure how to attribute the ruleset. It would be nice if you could clarify. Thanks!

Hi!

I'm having error message when trying this local.rules with OPNsense 24.7.2-amd64.

Just download file with "curl -O https://raw.githubusercontent.com/aleksibovellan/opnsense-suricata-nmaps/main/local.rules"
Take a look to the file and the first line it's ok:
# OPNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans

Go to Administration --> Rules, and click Apply

And just after that, I can see this error in Log File:

<Error> -- error parsing signature "PNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans" from file /usr/local/etc/suricata/opnsense.rules/local.rules at line 1
<Error> -- no terminating ";" found

Now take a look again to local.rules and voila:
PNsense's Suricata IDS/IPS Detection Rules Against NMAP Scans

Something is truncating the file after clicking Apply.

Has anyone faced this problem?

This out:

$ nmap 172.19.0.2
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-05 17:08 -03
Nmap scan report for 172.19.10.2
Host is up (0.024s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
1198/tcp open  cajo-discovery

Nmap done: 1 IP address (1 host up) scanned in 4.80 seconds

Logs:

09/05/2024-17:11:34.995490  [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42088 -> 172.19.0.2:4444
09/05/2024-17:11:35.255068  [Drop] [**] [1:3400020:2] POSSBL SCAN SHELL M-SPLOIT TCP [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 10.0.01.2:42090 -> 172.19.10.2:4444

I'm running test in with suricata -T and dont show errors, but the rule dont recongize nmap scan.

Obs.: I test with -sS, etc