McAfee Support Community - Re: Horizontal SMB Scan

secnubs1 · ‎12-25-2018

Hi,

My SIEM is alerting me a "Recon - Horizontal SMB Scan - Events or Flows" , there is no malware detected as I scan the endpoint in suspicion of wannacry ransomware, is this a false positive?. Below is the sample packet capture, I've edited some of the info for privacy purposes.

<189>date=date time=time devname="Firewall" devid="FG1K" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1545746497 srcip=xx.xx.xx.xx srcport=51856 srcintf="LAN" srcintfrole="lan" dstip=x.x.x.x dstport=445 dstintf="LAN" dstintfrole="lan" sessionid=1099522634 proto=6 action="deny" policyid=0 policytype="policy" service="SMB" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" devtype="Router/NAT Device" mastersrcmac="X:0x:x:fx:fd:xx" srcmac="x:x:e3:x:x:x" srcserver=0

mherr · ‎12-26-2018

You should review the host and determine if this is expected activity.

By default this rule detects connections from a source IP to 10 distinct internal destination IPs in 10 minutes over tcp ports 137, 139, 445.

These rules need to be tuned for your environment. Is the source IP a scanner, asset management system, etc? You may need to exclude it from the rule or you may need to adjust the thresholds.

secnubs1 · ‎01-01-2019

So it cannot be determined by looking at the packet alone. I guess I still need to dive deeper on the computer activity or rather increasing the threshold of the alert. Thanks

David1111 · ‎01-02-2019

Correct!

Mherr is right.