Skip to content

Releases: aleksibovellan/opnsense-suricata-nmaps

v.2.1

Choose a tag to compare

@aleksibovellan aleksibovellan released this 26 May 13:05
90052d0
  • Added a "TCP window size" value to the -sT scan rule to improve its detection rate (now works with T2 scan speeds instead of previous T3 ->), and also to minimize unnecessary false alarms
  • Improved the common port lists in several rules to minimize unnecessary false alarms in busier environments like the Active Directory
  • Updated README

v.2.02

Choose a tag to compare

@aleksibovellan aleksibovellan released this 24 May 08:19
dae85db
  • Edited all rule SID numbers to better match SIDAllocation specifications
  • Edited a couple of port numbers in the rules

v.2.01

Choose a tag to compare

@aleksibovellan aleksibovellan released this 10 May 09:07
ffed2b4

A small fix to destination port 4444 detections:

Excluded a few common service source port numbers from those rules to avoid false alarms due to destination ephemeral ports receiving sometimes being 4444

v.2.0

Choose a tag to compare

@aleksibovellan aleksibovellan released this 09 May 09:02
2ef456b
  • Added new NMAP scan types (in addition to the previous -sS, -f and -SU, now also detects -sT, -sA and -sX types)
  • Fine-tuned the existing rules
  • Improved the readability of the created Suricata alert log entries
  • Removed source port 4444 from "MetaSploit Shell default" detection, due to false alarms, but left "destination port" rules with 4444
  • Improved README.md

v.1.4.3

Choose a tag to compare

@aleksibovellan aleksibovellan released this 24 Mar 03:57
3f08c17

Updated the rules with traffic flow directions, so Suricata's reloading informational alerts about traffic directions is now fixed and appear no more. Also, removed disabled rules, and re-numbered the existing rule id numbers.

v.1.4.2

Choose a tag to compare

@aleksibovellan aleksibovellan released this 08 Jun 18:00
6c78a2d

Added some ports back into detection range, and tweaked some rules, especially the two -sT -T0 rules were causing some false positivies from legit TCP SYN ACK traffic, so they are now disabled, but -sT -T0 scan can still be detected by other rules giving them enough time. -sS -T0 type scans and faster, and/or -sT -T1 or faster, are still detected as before.

v.1.4.1

Choose a tag to compare

@aleksibovellan aleksibovellan released this 08 Jun 00:43
f4c3009

Removed ports 80 and 443 from some -sT scan rules, due to false positives resulting from legit web browsing

v.1.4

Choose a tag to compare

@aleksibovellan aleksibovellan released this 07 Jun 08:16
cfec071

Added detection rules for the slowest Nmap speed of -T0, without noticable false positive alarms so far.

v.1.3

Choose a tag to compare

@aleksibovellan aleksibovellan released this 06 Jun 16:13
047d568

TCP based scan detection rules rewritten, they now inspect TCP packet window sizes, flags and/or MSS values in addition to just timing intervals and ports. This resolved almost all false positive alerts from trying to detect slower TCP scans, and also lowered detected Nmap scan speeds (including TCP types) down to speed -T1. Currently -T0 is still too slow to detect without false positives. Also, UDP and fragmented scan timing intervals were made more common between other similar rules. These latest rule fixes were based on WireShark captures gotten during recent rule testing. General cleanups. Cosmetic touches.

v.1.1

Choose a tag to compare

@aleksibovellan aleksibovellan released this 05 Jun 23:04
1427f59

Slightly higher packet counter / timing limits, due to some false positive alerts. As a result, missed Nmap scan types are especially: unfragmented TCP SYN scans at -T1 or below. Added detection rules for port 4444 TCP/UDP, since it's a classic MetaSploit / MeterPreter / NetCat port.