Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.
All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
Detect network reconnaissance and port scanning using Suricata and Snort IDS signatures, threshold-based detection rules, and traffic anomaly analysis to identify Nmap, Masscan, and custom scanning activity.
cybersecurity
network-security
ids
nmap-detection
port-scanning
snort
suricata
reconnaissance
network-security
signature-detection
threshold-rules
1.0
mahipal
Apache-2.0
PR.IR-01
DE.CM-01
ID.AM-03
PR.DS-02
Detecting Network Scanning with IDS Signatures
Overview
Network scanning is typically the first phase of an attack, where adversaries enumerate live hosts, open ports, running services, and OS versions using tools like Nmap, Masscan, ZMap, and custom scanners. Detecting this reconnaissance activity provides early warning of potential attacks. IDS/IPS systems like Suricata and Snort can identify scanning through signature-based detection (matching known scanner packet patterns), threshold-based detection (counting connection attempts over time), and anomaly detection (identifying unusual traffic patterns). This skill covers writing and deploying IDS signatures for scan detection, configuring threshold-based alerting, and correlating scan activity with downstream attack indicators.
When to Use
When investigating security incidents that require detecting network scanning with ids signatures
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques
Prerequisites
Suricata 7.0+ or Snort 3.0+ deployed in IDS/IPS mode
Network TAP or SPAN port for traffic visibility
Emerging Threats ruleset enabled
Logging infrastructure for alert analysis (ELK Stack, Splunk)
Baseline understanding of normal network traffic patterns