8 Replies Latest reply on Aug 2, 2013 11:57 AM by ttl

    LEM:  Trying to tone down the noise

    ttl

        So I'm going through the Monitor filters and I'm trying to get rid of some of the noise.  I don't understand why some of the rules are matching. For example, we have a webserver, and whenever the firewall permits traffic to it, for some reason LEM logs it under the PortScan rule for the "Unusual Network Traffic" filter. This filter is composed of the vague "Network Suspicious Alerts" group (and I say vague because even when I go under Build > Groups and follow the selection tree down, I still don't know what the criteria is other than "TCPportscan" for example.) 

       

      So to start this off, my question is:  why is this being pegged as a PortScan when the Destination port is always port 80 for this host?

        • Re: LEM:  Trying to tone down the noise
          quasar

          Is this 5.5?  It flags because, out of the box, the correllation on the rules that do PortScan inference isn't set up the way you would expect.  If you find one of these rules (example:  TCPTrafficAudit with possible TCP PortScan Inference) and click the gear on the Correlation box, you'll see that the only criteria is that there are 10 TCPTrafficAudit events occurring within 10 seconds where the Source Machine is the same and the Destination Machine is the same.  Unique port numbers aren't required for the rule to trigger.

           

          I cloned all the PortScan inference rules that I had activated and added a requirement that the DestinationPort be distinct.  This reduces the number of triggers significantly.

            • Re: LEM:  Trying to tone down the noise
              ttl

              Thanks. This is actually LEM 5.6; when I click the gear to the right of the Rule you mention, then Edit, all I see is what is below. Not sure where you modified the criteria (or even what the criteria is, from what is below).



                • Re: LEM:  Trying to tone down the noise
                  quasar

                  Right.  So if you click the tiny square icon to the right of where it says "30 Events within 10 seconds" in the Correlation Time container, you'll see the definition for which events apply.  In 5.5, they are as specified above: "10 TCPTrafficAudit events occurring within 10 seconds where the Source Machine is the same and the Destination Machine is the same".  I haven't applied 5.6 yet, so I don't know if any changes have been made.  Let me know what you see in 5.6 and we'll go from there.

                  1 of 1 people found this helpful
                    • Re: LEM:  Trying to tone down the noise
                      ttl

                        OK, so here's what I have to modify Correlation. I assume you modified the previous screen so that it was 10 events within 10 seconds; I added the DestinationPort field (set to Distinct)...

                       

                       

                        • Re: LEM:  Trying to tone down the noise
                          quasar

                          That should reduce how frequently the rule triggers.  The required behavior should now be that a source talks to a destination on unique destination ports at least 30 times in 10 seconds.  Which is the kind of behavior you would expect from something scanning for open ports on a box.  I would test it to make sure you like the results, tuning as necessary.  You should be able to force the rule to trigger with nmap, nessus, or something similar.

                           

                          As far as the number of events required, I think it was 10 out of the box.  That may have been a change between versions.  You can adjust it to whatever works for your environment.