3 Replies Latest reply on Jan 17, 2013 3:15 PM by Chris Boldiston

    NMAP Scan detection via snort rules in SIEM

      Dear All,


      I have applied the following snort rule on our IPS and configured the IPS to send events to our Mcafee Nitro SIEM. The following is the rule to detect nmap scan traffic on our server range.


      alert tcp any any -> any (msg:"PTCL NMAP SCAN ON Servers"; content:"nmap"; nocase; sid:5224;)


      the content keyword is also placed in the rule to detect any content in the traffic that has the keyword "nmap". However, it is observed that many of our servers from different subnet are connecting to and the events are triggered. For example, in the attached screenshot, the server ( is an Microsoft SCCM machine) connecting to


      I am unable to understand , that when we have a specific rule that will only trigger if it sees NMAP keyword then why do we have so many false positives.


      Can any body shed light on it.