3 Replies Latest reply on Jan 17, 2013 3:15 PM by Chris Boldiston

    NMAP Scan detection via snort rules in SIEM

      Dear All,

       

      I have applied the following snort rule on our IPS and configured the IPS to send events to our Mcafee Nitro SIEM. The following is the rule to detect nmap scan traffic on our server range.

       

      alert tcp any any -> 10.255.240.0/24 any (msg:"PTCL NMAP SCAN ON Servers"; content:"nmap"; nocase; sid:5224;)

       

      the content keyword is also placed in the rule to detect any content in the traffic that has the keyword "nmap". However, it is observed that many of our servers from different subnet are connecting to 10.255.240.0/24 and the events are triggered. For example, in the attached screenshot, the server (10.255.112.221 is an Microsoft SCCM machine) connecting to 10.255.240.221.

       

      I am unable to understand , that when we have a specific rule that will only trigger if it sees NMAP keyword then why do we have so many false positives.

       

      Can any body shed light on it.

       

      thanks

      Fahad