I'd like to detect udp port scan in Suricata.
I searched google, but I didn't manage to find Suricata rule for detecting UDP port scan attempts.
I saw before a snort rule for this scan.
How can we detect this kind of scan in Suricata?
Asked
Active
Viewed 4,665 times
1 Answers
2
There's plenty of examples of UDP scans within the ET community signatures for Suricata.
One thing you have to keep in mind is that the very nature of a UDP scan. Someone is trying elicit a response through a socket on those ports via UDP. You may also want to consider creating flow rules related to the UDP protocol for saying # of connections with a null (or suspected common scanner payload) is seen sourcing from an offending host to multiple hosts in something like $HOME_NET and the flows bit words might be included from_client, stateless
SCIS Security
- 177
- 6