Hi everyone, I’m trying to create a custom Suricata rule to detect a specific attack test, but it’s not triggering as expected. Could someone review my rule logic based on this traffic pattern?
Hi @Hoisang!
I’m happy to take a look! Can you share your rule and details about what you’re trying to detect? If you have a pcap that you can share it will make troubleshooting easier.
Thanks,
Isaac
Config Rule
alert icmp any any → any any (msg:“ICMP Ping Scan Detected Test!!!”; itype:8; classtype:network-scan; sid:1000001; rev:1;)
Log from fast.log on Suricata server
03/12/2026-17:11:09.885411 [] [1:1000001:1] ICMP Ping Scan Detected Test!!! [] [Classification: Detection of a Network Scan] [Priority: 3] {ICMP} 61.91.39.154:8 → 103.255.13.211:0
03/12/2026-17:11:10.894700 [] [1:1000001:1] ICMP Ping Scan Detected Test!!! [] [Classification: Detection of a Network Scan] [Priority: 3] {ICMP} 61.91.39.154:8 → 103.255.13.211:0
03/12/2026-17:11:11.900386 [] [1:1000001:1] ICMP Ping Scan Detected Test!!! [] [Classification: Detection of a Network Scan] [Priority: 3] {ICMP} 61.91.39.154:8 → 103.255.13.211:0
03/12/2026-17:11:12.910106 [] [1:1000001:1] ICMP Ping Scan Detected Test!!! [] [Classification: Detection of a Network Scan] [Priority: 3] {ICMP} 61.91.39.154:8 → 103.255.13.211:0
This is information about Config Rule and Log from Suricata server so it is detect priority 3. But I want detect priority 1 or 2 to use cocept Ping IP Dest. Do you have any another solution? Can we tell me pleases.
What you’ll want to do is edit your Classification Config. Here you can change the priority for each alert type.
In my suricata install it is located at /usr/local/etc/suricata/classification.config but it may be different on your system.
By default the classtype for network-scan is a priority 3 but you could change that to whatever you want. Here is a snippet from that config file.
# config classification:shortname,short description,priority
config classification: network-scan,Detection of a Network Scan,3