cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

NMAP Scan detection via snort rules in SIEM

Dear All,

I have applied the following snort rule on our IPS and configured the IPS to send events to our Mcafee Nitro SIEM. The following is the rule to detect nmap scan traffic on our server range.

alert tcp any any -> 10.255.240.0/24 any (msg:"PTCL NMAP SCAN ON Servers"; content:"nmap"; nocase; sid:5224;)

the content keyword is also placed in the rule to detect any content in the traffic that has the keyword "nmap". However, it is observed that many of our servers from different subnet are connecting to 10.255.240.0/24 and the events are triggered. For example, in the attached screenshot, the server (10.255.112.221 is an Microsoft SCCM machine) connecting to 10.255.240.221.

I am unable to understand , that when we have a specific rule that will only trigger if it sees NMAP keyword then why do we have so many false positives.

Can any body shed light on it.

thanks

Fahad

3 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 4

Re: NMAP Scan detection via snort rules in SIEM

Hi Fahad

I would be interested to see what the packet tab shows for that event, can you get a copy of that? Also this looks like you have configured the DS for ISS SIte protector. We get the Rule Message string from the Site Protector event. So it looks like ISS is detecting those events and sending them to us.

Can you get a coupld of samples from the packet tab? I may need to get you to log a ticket on this for any further investigation.

Chris

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: NMAP Scan detection via snort rules in SIEM

Dear Chris,

I have attached 3 different samples of the Packet Tab and they do not show anything special to be aware of.

Also , just to rephrase, we have written a custom made snort rule in IBM ISS.

1.png

2.png

3.png

Please see if we can track the issue down.

Thanks

Fahad

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: NMAP Scan detection via snort rules in SIEM

Hi Fahad

I think its best to create a support ticket for this question and we can help you resolve it that way.

Thanks

Chris

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community