I am in the middle of creating few alerts on McAfee SIEM.
1. Port Scan alert on Firewall:
I have performed an Nmap scan on the Firewall. I have only received the ACL denied events. This is a very generic event and if I create an alert for the same, it would fire like hell. It becomes very difficult to understand legitimate scan and a false positive. Is there a way to find out port scan alert on the firewall? There is no IPS/IDS implemented in the Infra. We have a Cisco 5500 ASA FW.
For a port scan pick the threshold you'd want before triggering the correlation rule, lets say a host has to hit 200 different ports on a single server for the correlation rule to fire. Setup the rule similar to below, mine is looking for external IPs only.
Then setup the "Advanced Options" so that the correltion rule is looking for a number of distinct events. In this case I have modified the "NumDests" to be 200.
To solve this problem go to the event that is generated and get the signature ID, then you need to create a correlation rule that base on this signature ID and you can customize your needs based on your requirement.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.