• 3 replies
  • Latest Post - ‏2012-11-27T18:02:06Z by SystemAdmin
184 Posts

Pinned topic Detecting Nmap scan with CheckPoint FW

‏2012-09-28T13:30:01Z |

I was trying to build rule which could detect Nmap scan attempts. I created rule as in attachment (rule.png)

I created one building block in which I placed QID of events which are being generated by our firewalls (bb.png) during scan. This BB is loaded by "System: Load Building Blocks" rule. When I try to scan some example machine I got following flow of events on QRadar ( However no offense is created when I perform scan from machine with IP address defined in rule.

For me rule conditions look fine. Could you tell me what is wrong here?

Best Regards
Jarosław Mila-------Posted BY Jaroslaw Mila
  • SystemAdmin
    184 Posts

    Re: If you dive into the

    If you dive into the individual events, do you see your BB applying to the events?

    Posted By Eric Gearhart
  • SystemAdmin
    184 Posts

    Re: Hello Eric,Yes, when I go to

    Hello Eric,

    Yes, when I go to particular event during scan I can see my BB under Additional Information | Custom Rules.

    I also created rule "Finding events on Checkpoint FW" which fires when it matches BB above. Then I selected this auxiliary rule in "Portscan on Checkpoint FW detected" instead of BB. However, main rule still does not responds when I perform scan.

    What is more interesting that this construction itself (BB + rule) seem to be working - I created search with Custom Rule set to "Finding events..." and search returns valid events.

    Posted By Jaroslaw Mila
  • SystemAdmin
    184 Posts

    Re: JM, When you are searching


    When you are searching for the events that matched your rule, are you using the Partial match filter of the "Matched Custom Rule" filter? A partial match indicates that some properties of the rule were matched, but the threshold was not match to trigger the rule.

    Posted By scott.vanwart