Detects network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold rules, and traffic anomaly analysis. Identifies Nmap, Masscan, and custom scans.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
网络扫描(network scanning)通常是攻击的第一阶段,攻击者使用 Nmap、Masscan、ZMap 和自定义扫描工具枚举活跃主机、开放端口、运行中的服务和操作系统版本。检测这种侦察活动可以为潜在攻击提供早期预警。Suricata 和 Snort 等 IDS/IPS 系统可通过三种方式识别扫描:基于签名的检测(匹配已知扫描工具的数据包模式)、基于阈值的检测(统计一段时间内的连接尝试次数)和异常检测(识别异常流量模式)。本技能涵盖编写和部署用于扫描检测的 IDS 签名、配置基于阈值的告警,以及将扫描活动与下游攻击指标进行关联。
Detects network scanning (Nmap, Masscan) using Suricata/Snort IDS signatures, threshold rules, and traffic anomaly analysis for early reconnaissance alerts.
Detects network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based rules, and traffic anomaly analysis for Nmap, Masscan, and custom scanners.
Performs advanced Nmap network reconnaissance on authorized targets: host discovery, port/service scanning, OS identification, vulnerability detection via NSE, and firewall evasion techniques.
Share bugs, ideas, or general feedback.
网络扫描(network scanning)通常是攻击的第一阶段,攻击者使用 Nmap、Masscan、ZMap 和自定义扫描工具枚举活跃主机、开放端口、运行中的服务和操作系统版本。检测这种侦察活动可以为潜在攻击提供早期预警。Suricata 和 Snort 等 IDS/IPS 系统可通过三种方式识别扫描:基于签名的检测(匹配已知扫描工具的数据包模式)、基于阈值的检测(统计一段时间内的连接尝试次数)和异常检测(识别异常流量模式)。本技能涵盖编写和部署用于扫描检测的 IDS 签名、配置基于阈值的告警,以及将扫描活动与下游攻击指标进行关联。
| 扫描类型 | Nmap 参数 | 数据包特征 | 检测方法 |
|---|---|---|---|
| TCP SYN | -sS | 仅 SYN 标志,不完成握手 | 无 SYN/ACK 响应的 SYN 模式 |
| TCP Connect | -sT | 完整三次握手 | 来自单一来源的多个连接 |
| TCP FIN | -sF | 仅 FIN 标志 | FIN 发到关闭端口(RST 响应) |
| TCP Xmas | -sX | FIN+PSH+URG 标志 | 异常标志组合 |
| TCP NULL | -sN | 无标志位 | 零标志 TCP 数据包 |
| UDP Scan | -sU | UDP 发到多个端口 | ICMP 端口不可达响应 |
| ACK Scan | -sA | 仅 ACK 标志(探测防火墙) | 未经请求的 ACK 数据包 |
| SYN/ACK Scan | 自定义 | 没有先前 SYN 的 SYN+ACK | 状态违规 |
| OS 指纹识别 | -O | 异常 TCP 选项/窗口大小 | 特定选项组合 |
| 版本检测 | -sV | 服务探测字符串 | 已知探测载荷 |
| 模板 | Nmap 参数 | 速度 | 检测难度 |
|---|---|---|---|
| Paranoid | -T0 | 每 5 分钟 1 个探测 | 极难 |
| Sneaky | -T1 | 每 15 秒 1 个探测 | 困难 |
| Polite | -T2 | 每 0.4 秒 1 个探测 | 中等 |
| Normal | -T3 | 默认并行度 | 容易 |
| Aggressive | -T4 | 并行,1.25 秒超时 | 很容易 |
| Insane | -T5 | 最大并行度 | 极易 |
创建 /var/lib/suricata/rules/scan-detection.rules:
# === TCP 扫描检测 ===
# 检测 TCP SYN 扫描(大量 SYN 但未完成)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP SYN Scan Detected"; flags:S,12; threshold:type both,track by_src,count 30,seconds 10; classtype:attempted-recon; sid:5000001; rev:2;)
# 检测 TCP FIN 扫描
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP FIN Scan"; flags:F,12; threshold:type both,track by_src,count 20,seconds 60; classtype:attempted-recon; sid:5000002; rev:1;)
# 检测 TCP Xmas 扫描(FIN+PSH+URG)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP Xmas Tree Scan"; flags:FPU,12; classtype:attempted-recon; sid:5000003; rev:1;)
# 检测 TCP NULL 扫描(无标志)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP NULL Scan"; flags:0,12; classtype:attempted-recon; sid:5000004; rev:1;)
# 检测 ACK 扫描(探测防火墙)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP ACK Scan"; flags:A,12; flow:stateless; threshold:type both,track by_src,count 50,seconds 30; classtype:attempted-recon; sid:5000005; rev:1;)
# 检测 SYN+ACK 扫描(异常无状态探测)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN TCP SYN-ACK Scan"; flags:SA,12; flow:stateless; threshold:type both,track by_src,count 30,seconds 30; classtype:attempted-recon; sid:5000006; rev:1;)
# === UDP 扫描检测 ===
# 检测 UDP 端口扫描
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN UDP Port Scan"; threshold:type both,track by_src,count 30,seconds 10; classtype:attempted-recon; sid:5000010; rev:1;)
# === Nmap 专项检测 ===
# 检测 Nmap 操作系统指纹识别(T1 探测——ECN SYN)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap OS Fingerprint Probe"; flags:SEC,12; window:1; classtype:attempted-recon; sid:5000020; rev:1;)
# 检测 Nmap 窗口扫描(特定窗口大小模式)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap Window Size Probe"; flags:A,12; flow:stateless; window:1024; threshold:type both,track by_src,count 10,seconds 30; classtype:attempted-recon; sid:5000021; rev:1;)
# 检测 Nmap 版本检测探测
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap Service Version Probe"; flow:established; content:"HELP"; depth:4; threshold:type both,track by_src,count 5,seconds 60; classtype:attempted-recon; sid:5000022; rev:1;)
# 检测 Nmap 脚本引擎(NSE)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Nmap NSE HTTP Script"; http.user_agent; content:"Nmap Scripting Engine"; classtype:attempted-recon; sid:5000023; rev:1;)
# === Masscan 检测 ===
# 检测 Masscan SYN 扫描(特定窗口大小)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Masscan SYN Scan Detected"; flags:S,12; window:1024; threshold:type both,track by_src,count 100,seconds 10; classtype:attempted-recon; sid:5000030; rev:1;)
# === 内部扫描检测 ===
# 检测内部主机扫描(横向移动侦察)
alert tcp $HOME_NET any -> $HOME_NET any (msg:"SCAN Internal Network Scan Detected"; flags:S,12; threshold:type both,track by_src,count 50,seconds 30; classtype:attempted-recon; sid:5000040; rev:1;)
# 检测内部 ICMP 扫描
alert icmp $HOME_NET any -> $HOME_NET any (msg:"SCAN Internal ICMP Sweep"; itype:8; threshold:type both,track by_src,count 30,seconds 10; classtype:attempted-recon; sid:5000041; rev:1;)
编辑 /etc/suricata/threshold.config:
# 对已授权的漏洞扫描器抑制扫描告警
suppress gen_id 1, sig_id 5000001, track by_src, ip 10.0.5.100
suppress gen_id 1, sig_id 5000001, track by_src, ip 10.0.5.101
# 限制扫描告警速率,防止日志洪泛
rate_filter gen_id 1, sig_id 5000001, track by_src, count 5, seconds 300, new_action alert, timeout 600
rate_filter gen_id 1, sig_id 5000040, track by_src, count 3, seconds 300, new_action alert, timeout 600
# 关键内部扫描的事件过滤
event_filter gen_id 1, sig_id 5000040, type both, track by_src, count 1, seconds 60
#!/usr/bin/env python3
"""分析 IDS 告警中的网络扫描活动并生成报告。"""
import json
import sys
from collections import defaultdict
from datetime import datetime
class ScanDetector:
"""关联 IDS 告警以识别扫描活动。"""
def __init__(self):
self.scan_events = defaultdict(lambda: {
'source_ip': '',
'target_ips': set(),
'target_ports': set(),
'scan_types': set(),
'alert_count': 0,
'first_seen': None,
'last_seen': None,
'signatures': defaultdict(int),
})
def process_eve_json(self, filepath: str):
"""处理 Suricata EVE JSON 告警日志。"""
with open(filepath, 'r') as f:
for line in f:
try:
event = json.loads(line)
if event.get('event_type') != 'alert':
continue
alert = event.get('alert', {})
sig = alert.get('signature', '')
if 'SCAN' not in sig:
continue
src_ip = event.get('src_ip', '')
dst_ip = event.get('dest_ip', '')
dst_port = event.get('dest_port', 0)
ts = datetime.fromisoformat(
event['timestamp'].replace('Z', '+00:00')
)
scanner = self.scan_events[src_ip]
scanner['source_ip'] = src_ip
scanner['target_ips'].add(dst_ip)
scanner['target_ports'].add(dst_port)
scanner['alert_count'] += 1
scanner['signatures'][sig] += 1
if 'SYN' in sig:
scanner['scan_types'].add('SYN 扫描')
elif 'FIN' in sig:
scanner['scan_types'].add('FIN 扫描')
elif 'Xmas' in sig:
scanner['scan_types'].add('Xmas 扫描')
elif 'NULL' in sig:
scanner['scan_types'].add('NULL 扫描')
elif 'UDP' in sig:
scanner['scan_types'].add('UDP 扫描')
elif 'Nmap' in sig:
scanner['scan_types'].add('检测到 Nmap')
elif 'Masscan' in sig:
scanner['scan_types'].add('检测到 Masscan')
elif 'Internal' in sig:
scanner['scan_types'].add('内部扫描')
if scanner['first_seen'] is None or ts < scanner['first_seen']:
scanner['first_seen'] = ts
if scanner['last_seen'] is None or ts > scanner['last_seen']:
scanner['last_seen'] = ts
except (json.JSONDecodeError, KeyError, ValueError):
continue
def generate_report(self):
"""生成扫描检测报告。"""
scanners = sorted(
self.scan_events.values(),
key=lambda x: x['alert_count'],
reverse=True
)
print(f"\n{'='*70}")
print("网络扫描检测报告")
print(f"{'='*70}")
print(f"唯一扫描来源:{len(scanners)}\n")
for scanner in scanners:
targets = len(scanner['target_ips'])
ports = len(scanner['target_ports'])
duration = (scanner['last_seen'] - scanner['first_seen']).total_seconds() \
if scanner['first_seen'] and scanner['last_seen'] else 0
is_internal = scanner['source_ip'].startswith(('10.', '172.', '192.168.'))
severity = "严重" if is_internal else \
"高" if targets > 50 or ports > 100 else "中"
print(f"[{severity}] 扫描源:{scanner['source_ip']}")
print(f" 类型:{'内部' if is_internal else '外部'}")
print(f" 扫描类型:{', '.join(scanner['scan_types'])}")
print(f" 目标主机数:{targets},目标端口数:{ports}")
print(f" 告警总数:{scanner['alert_count']}")
print(f" 持续时间:{duration:.0f} 秒")
print(f" 首次发现:{scanner['first_seen']}")
print(f" 主要签名:")
for sig, count in sorted(
scanner['signatures'].items(), key=lambda x: x[1], reverse=True
)[:5]:
print(f" - {sig}:{count}")
print()
if __name__ == '__main__':
detector = ScanDetector()
log_file = sys.argv[1] if len(sys.argv) > 1 else '/var/log/suricata/eve.json'
detector.process_eve_json(log_file)
detector.generate_report()