cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Horizontal SMB Scan

Hi,

 

My SIEM is alerting me a "Recon - Horizontal SMB Scan - Events or Flows" , there is no malware detected as I scan the endpoint in suspicion of wannacry ransomware, is this a false positive?. Below is the sample packet capture, I've edited some of the info for privacy purposes.

 

<189>date=date time=time devname="Firewall" devid="FG1K" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1545746497 srcip=xx.xx.xx.xx srcport=51856 srcintf="LAN" srcintfrole="lan" dstip=x.x.x.x dstport=445 dstintf="LAN" dstintfrole="lan" sessionid=1099522634 proto=6 action="deny" policyid=0 policytype="policy" service="SMB" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" devtype="Router/NAT Device" mastersrcmac="X:0x:x:fx:fd:xx" srcmac="x:x:e3:x:x:x" srcserver=0

3 Replies
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Horizontal SMB Scan

You should review the host and determine if this is expected activity. 

By default this rule detects connections from a source IP to 10 distinct internal destination IPs in 10 minutes over tcp ports 137, 139, 445.  

These rules need to be tuned for your environment.  Is the source IP a scanner, asset management system, etc?  You may need to exclude it from the rule or you may need to adjust the thresholds.

 

 

Re: Horizontal SMB Scan

So it cannot be determined by looking at the packet alone. I guess I still need to dive deeper on the computer activity or rather increasing the threshold of the alert. Thanks

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Horizontal SMB Scan

Correct!

Mherr is right.

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.