I was trying to build rule which could detect Nmap scan attempts. I created rule as in attachment (rule.png)
I created one building block in which I placed QID of events which are being generated by our firewalls (bb.png) during scan. This BB is loaded by "System: Load Building Blocks" rule. When I try to scan some example machine I got following flow of events on QRadar (port-scan.zip). However no offense is created when I perform scan from machine with IP address defined in rule.
For me rule conditions look fine. Could you tell me what is wrong here?
Jarosław Mila-------Posted BY Jaroslaw Mila
This topic has been locked.
Pinned topic Detecting Nmap scan with CheckPoint FW
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Re: If you dive into the2012-09-29T17:40:26ZThis is the accepted answer. This is the accepted answer.If you dive into the individual events, do you see your BB applying to the events?
Posted By Eric Gearhart
Re: Hello Eric,Yes, when I go to2012-10-01T08:48:02ZThis is the accepted answer. This is the accepted answer.Hello Eric,
Yes, when I go to particular event during scan I can see my BB under Additional Information | Custom Rules.
I also created rule "Finding events on Checkpoint FW" which fires when it matches BB above. Then I selected this auxiliary rule in "Portscan on Checkpoint FW detected" instead of BB. However, main rule still does not responds when I perform scan.
What is more interesting that this construction itself (BB + rule) seem to be working - I created search with Custom Rule set to "Finding events..." and search returns valid events.
Posted By Jaroslaw Mila
Re: JM, When you are searching2012-11-27T18:02:06ZThis is the accepted answer. This is the accepted answer.JM,
When you are searching for the events that matched your rule, are you using the Partial match filter of the "Matched Custom Rule" filter? A partial match indicates that some properties of the rule were matched, but the threshold was not match to trigger the rule.
Posted By scott.vanwart