Hi all. Anyone has any experience or opinion about having bunch of portscan events triggered in LEM relating to the HP Universal Printer Driver contacting workstations on port 5226 for printer status? I am trying to figure out how to best handle this. Disable LEM alerts on port 5226?
Assuming you're using one of our template PortScan rules, the criteria is just looking for 10 packets where:
So if the printer or client send data to the same IP but on different ports trying to establish a pipe, that may cause false positives. You could modify the rule to ignore source and/or destination ports of 5226.