I'd like to detect udp port scan in Suricata.
I searched google, but I didn't manage to find Suricata rule for detecting UDP port scan attempts.
I saw before a snort rule for this scan.
How can we detect this kind of scan in Suricata?
There's plenty of examples of UDP scans within the ET community signatures for Suricata.
One thing you have to keep in mind is that the very nature of a UDP scan. Someone is trying elicit a response through a socket on those ports via UDP. You may also want to consider creating flow rules related to the UDP protocol for saying # of connections with a null (or suspected common scanner payload) is seen sourcing from an offending host to multiple hosts in something like $HOME_NET and the flows bit words might be included from_client, stateless