I am comming around a lot of issues when working with events from Intrushield.
So Iam always wondering how I can find out what triggers an event, how can I tell that it is not the false positive that it seems to be on the first look.
I have seen many events like "UDP: Port Scan" the involved source hereby is a nameserver.
So, I would need much more information, cause I would say that this seems to be wrong.
Please see the below KB on how to submit a false positive report to McAfee support. This will teach you how to enable full flow logging and generate an evidence report. You can view these packet logs yourself, or submit the logs to our support team. Thanks!
Technical Support Engineer
McAfee. Part of Intel Security.
Please note, this method does not work when the attack definition is not able to collect packet capture. See the following for a list of attack definitions that will not collect packet capture:
Alternatively you can create a packet capture rule to collect what is needed.