cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
secnubs1
secnubs1
Level 7
Report Inappropriate Content
Message 1 of 4
‎12-25-2018 12:30 PM

Horizontal SMB Scan

Hi,

 

My SIEM is alerting me a "Recon - Horizontal SMB Scan - Events or Flows" , there is no malware detected as I scan the endpoint in suspicion of wannacry ransomware, is this a false positive?. Below is the sample packet capture, I've edited some of the info for privacy purposes.

 

<189>date=date time=time devname="Firewall" devid="FG1K" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1545746497 srcip=xx.xx.xx.xx srcport=51856 srcintf="LAN" srcintfrole="lan" dstip=x.x.x.x dstport=445 dstintf="LAN" dstintfrole="lan" sessionid=1099522634 proto=6 action="deny" policyid=0 policytype="policy" service="SMB" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" devtype="Router/NAT Device" mastersrcmac="X:0x:x:fx:fd:xx" srcmac="x:x:e3:x:x:x" srcserver=0

0 Kudos
Reply
3 Replies
Highlighted
mherr
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 2 of 4
‎12-26-2018 10:34 AM

Re: Horizontal SMB Scan

You should review the host and determine if this is expected activity. 

By default this rule detects connections from a source IP to 10 distinct internal destination IPs in 10 minutes over tcp ports 137, 139, 445.  

These rules need to be tuned for your environment.  Is the source IP a scanner, asset management system, etc?  You may need to exclude it from the rule or you may need to adjust the thresholds.

 

 

0 Kudos
Reply
secnubs1
secnubs1
Level 7
Report Inappropriate Content
Message 3 of 4
‎01-01-2019 05:25 PM

Re: Horizontal SMB Scan

So it cannot be determined by looking at the packet alone. I guess I still need to dive deeper on the computer activity or rather increasing the threshold of the alert. Thanks

0 Kudos
Reply
David1111
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎01-02-2019 03:16 AM

Re: Horizontal SMB Scan

Correct!

Mherr is right.

0 Kudos
Reply
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator

    • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community


    Corporate Headquarters
    2821 Mission College Blvd.
    Santa Clara, CA 95054 USA

    Consumer Support   |   Enterprise Support   |   McAfee.com

    Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC