I have applied the following snort rule on our IPS and configured the IPS to send events to our Mcafee Nitro SIEM. The following is the rule to detect nmap scan traffic on our server range.
alert tcp any any -> 10.255.240.0/24 any (msg:"PTCL NMAP SCAN ON Servers"; content:"nmap"; nocase; sid:5224;)
the content keyword is also placed in the rule to detect any content in the traffic that has the keyword "nmap". However, it is observed that many of our servers from different subnet are connecting to 10.255.240.0/24 and the events are triggered. For example, in the attached screenshot, the server (10.255.112.221 is an Microsoft SCCM machine) connecting to 10.255.240.221.
I am unable to understand , that when we have a specific rule that will only trigger if it sees NMAP keyword then why do we have so many false positives.
I would be interested to see what the packet tab shows for that event, can you get a copy of that? Also this looks like you have configured the DS for ISS SIte protector. We get the Rule Message string from the Site Protector event. So it looks like ISS is detecting those events and sending them to us.
Can you get a coupld of samples from the packet tab? I may need to get you to log a ticket on this for any further investigation.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.