I was trying to build rule which could detect Nmap scan attempts. I created rule as in attachment (rule.png)
I created one building block in which I placed QID of events which are being generated by our firewalls (bb.png) during scan. This BB is loaded by "System: Load Building Blocks" rule. When I try to scan some example machine I got following flow of events on QRadar (port-scan.zip). However no offense is created when I perform scan from machine with IP address defined in rule.
For me rule conditions look fine. Could you tell me what is wrong here?
Jarosław Mila-------Posted BY Jaroslaw Mila
This topic has been locked.
3 replies Latest Post - 2012-11-27T18:02:06Z by SystemAdmin
Pinned topic Detecting Nmap scan with CheckPoint FW
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-27T18:02:06Z at 2012-11-27T18:02:06Z by SystemAdmin
Re: Hello Eric,Yes, when I go to2012-10-01T08:48:02Z in response to SystemAdminHello Eric,
Yes, when I go to particular event during scan I can see my BB under Additional Information | Custom Rules.
I also created rule "Finding events on Checkpoint FW" which fires when it matches BB above. Then I selected this auxiliary rule in "Portscan on Checkpoint FW detected" instead of BB. However, main rule still does not responds when I perform scan.
What is more interesting that this construction itself (BB + rule) seem to be working - I created search with Custom Rule set to "Finding events..." and search returns valid events.
Posted By Jaroslaw Mila
Re: JM, When you are searching2012-11-27T18:02:06Z in response to SystemAdminJM,
When you are searching for the events that matched your rule, are you using the Partial match filter of the "Matched Custom Rule" filter? A partial match indicates that some properties of the rule were matched, but the threshold was not match to trigger the rule.
Posted By scott.vanwart