Topic
3 replies Latest Post - ‏2012-11-27T18:02:06Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts
ACCEPTED ANSWER

Pinned topic Detecting Nmap scan with CheckPoint FW

‏2012-09-28T13:30:01Z |
Hi,

I was trying to build rule which could detect Nmap scan attempts. I created rule as in attachment (rule.png)

I created one building block in which I placed QID of events which are being generated by our firewalls (bb.png) during scan. This BB is loaded by "System: Load Building Blocks" rule. When I try to scan some example machine I got following flow of events on QRadar (port-scan.zip). However no offense is created when I perform scan from machine with IP address defined in rule.

For me rule conditions look fine. Could you tell me what is wrong here?

Best Regards
Jarosław Mila-------Posted BY Jaroslaw Mila
Updated on 2012-11-27T18:02:06Z at 2012-11-27T18:02:06Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: If you dive into the

    ‏2012-09-29T17:40:26Z  in response to SystemAdmin
    If you dive into the individual events, do you see your BB applying to the events?

    Posted By Eric Gearhart
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: Hello Eric,Yes, when I go to

    ‏2012-10-01T08:48:02Z  in response to SystemAdmin
    Hello Eric,

    Yes, when I go to particular event during scan I can see my BB under Additional Information | Custom Rules.

    I also created rule "Finding events on Checkpoint FW" which fires when it matches BB above. Then I selected this auxiliary rule in "Portscan on Checkpoint FW detected" instead of BB. However, main rule still does not responds when I perform scan.

    What is more interesting that this construction itself (BB + rule) seem to be working - I created search with Custom Rule set to "Finding events..." and search returns valid events.

    Regards
    JM
    Posted By Jaroslaw Mila
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: JM, When you are searching

    ‏2012-11-27T18:02:06Z  in response to SystemAdmin
    JM,

    When you are searching for the events that matched your rule, are you using the Partial match filter of the "Matched Custom Rule" filter? A partial match indicates that some properties of the rule were matched, but the threshold was not match to trigger the rule.


    Posted By scott.vanwart