Releases: aleksibovellan/opnsense-suricata-nmaps
v.2.1
- Added a "TCP window size" value to the -sT scan rule to improve its detection rate (now works with T2 scan speeds instead of previous T3 ->), and also to minimize unnecessary false alarms
- Improved the common port lists in several rules to minimize unnecessary false alarms in busier environments like the Active Directory
- Updated README
v.2.02
- Edited all rule SID numbers to better match SIDAllocation specifications
- Edited a couple of port numbers in the rules
v.2.01
A small fix to destination port 4444 detections:
Excluded a few common service source port numbers from those rules to avoid false alarms due to destination ephemeral ports receiving sometimes being 4444
v.2.0
- Added new NMAP scan types (in addition to the previous -sS, -f and -SU, now also detects -sT, -sA and -sX types)
- Fine-tuned the existing rules
- Improved the readability of the created Suricata alert log entries
- Removed source port 4444 from "MetaSploit Shell default" detection, due to false alarms, but left "destination port" rules with 4444
- Improved README.md
v.1.4.3
Updated the rules with traffic flow directions, so Suricata's reloading informational alerts about traffic directions is now fixed and appear no more. Also, removed disabled rules, and re-numbered the existing rule id numbers.
v.1.4.2
Added some ports back into detection range, and tweaked some rules, especially the two -sT -T0 rules were causing some false positivies from legit TCP SYN ACK traffic, so they are now disabled, but -sT -T0 scan can still be detected by other rules giving them enough time. -sS -T0 type scans and faster, and/or -sT -T1 or faster, are still detected as before.
v.1.4.1
Removed ports 80 and 443 from some -sT scan rules, due to false positives resulting from legit web browsing
v.1.4
Added detection rules for the slowest Nmap speed of -T0, without noticable false positive alarms so far.
v.1.3
TCP based scan detection rules rewritten, they now inspect TCP packet window sizes, flags and/or MSS values in addition to just timing intervals and ports. This resolved almost all false positive alerts from trying to detect slower TCP scans, and also lowered detected Nmap scan speeds (including TCP types) down to speed -T1. Currently -T0 is still too slow to detect without false positives. Also, UDP and fragmented scan timing intervals were made more common between other similar rules. These latest rule fixes were based on WireShark captures gotten during recent rule testing. General cleanups. Cosmetic touches.
v.1.1
Slightly higher packet counter / timing limits, due to some false positive alerts. As a result, missed Nmap scan types are especially: unfragmented TCP SYN scans at -T1 or below. Added detection rules for port 4444 TCP/UDP, since it's a classic MetaSploit / MeterPreter / NetCat port.