2 Replies Latest reply on Mar 9, 2016 8:25 PM by vfrancotecel

    Port Scan - LEM

    lem123

      Hello,

       

      I have created a Firewall Logon Failure with Inference notification. An email notification was added to the actions which was followed by several notifications being sent out.

       

      Checking the filters, TCPPortScan has hundreds of events and I am wondering how I can make use of this information.

       

      Alot of the AlertActivityType is "TCP Missing SYN Flag" - can anybody provide information on what this is?

       

      Obviously the idea is to customise this rule and ignore any false-positives.

       

      Many thanks

        • Re: Port Scan - LEM
          nicole pauls

          It looks like you received a number of TCP packets (that I would assume were blocked, though could have been allowed) that the log data indicated were all missing SYN flags. You can see this rule if you go to Build > Rules and search for the "inference" type rules, or "PortScan". If you open the rule and look at the threshold, then open the advanced threshold, you can see the logic for the rule.

           

          You might want to increase the threshold on your network if it's firing too frequently or doesn't actually look like a PortScan. Fun fact - you can actually see the original events that led up to this from your LEM Console (filters OR search) by clicking on the event then going to Explore > Event. It'll show you the events that came before and as a result (i.e. 10 TCPTrafficAudit events happened with Missing SYN Flag, then they triggered the TCPPortScan, which then triggered the email to be sent).

          • Re: Port Scan - LEM
            vfrancotecel

            On top of this question I would like to know if my network traffic can see the rise ...