cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Port Scan alert on Firewall

Hello all,

I am in the middle of creating few alerts on McAfee SIEM.

1. Port Scan alert on Firewall:

I have performed an Nmap scan on the Firewall. I have only received the ACL denied events. This is a very generic event and if I create an alert for the same, it would fire like hell. It becomes very difficult to understand legitimate scan and a false positive. Is there a way to find out port scan alert on the firewall? There is no IPS/IDS implemented in the Infra. We have a Cisco 5500 ASA FW.

Any help in this regard would be appreciated.

Best Regards,

Kartik

3 Replies
Highlighted

Re: Port Scan alert on Firewall

Hey Kartik,

For a port scan pick the threshold you'd want before triggering the correlation rule, lets say a host has to hit 200 different ports on a single server for the correlation rule to fire. Setup the rule similar to below, mine is looking for external IPs only.

1.PNG

Then setup the "Advanced Options" so that the correltion rule is looking for a number of distinct events. In this case I have modified the "NumDests" to be 200.

2.PNG

Highlighted
Level 10
Report Inappropriate Content
Message 3 of 4

Re: Port Scan alert on Firewall

Hi,

How were you able to specify port not in [0]

I'm on 9.5.1 MR2 and it's not letting me specify anything outside of 1-65....

Thanks,

Re: Port Scan alert on Firewall

To solve this problem go to the event that is generated and get the signature ID, then you need to create a correlation rule that base on this signature ID and you can customize your needs based on your requirement.

Good luck.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community