Question & Answer
Question
Why do TCP_Probe_XXXX signatures sometimes not appear to fire on the QRadar Network Security (XGS) sensor?
Answer
TCP_Probe_XXXX events are a subset of the TCP_Port_Scan signature on the XGS sensor. Therefore, if the TCP_Port_Scan signature fires, the sensor coalesces the TCP_Probe events into the TCP_Port_Scan event.
The exception to this behavior is when you have configured the TCP_Probe_XXXX signature for a quarantine response. If that is the case, the event that is generated from the signature will not be coalesced into the TCP_Port_Scan events and you will see events for both signatures.
The exception to this behavior is when you have configured the TCP_Probe_XXXX signature for a quarantine response. If that is the case, the event that is generated from the signature will not be coalesced into the TCP_Port_Scan events and you will see events for both signatures.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21983891