02-26-2019 12:07 AM
Hi. I recently set IPS on firepower but portscan detection catche traffic from Domain controller to host device that is used to watch cameras. I dont understand what kind of traffic is it to trigger protscan detection. What could be send from domain controller to hosts that trigger portscan rule.? Moreover i observed that the traffic destined to port 135. but again i didnt understand which traffic uses 135 that cause this issue. please help me as sson as possible. thanks in advance
02-26-2019 01:57 AM
02-26-2019 02:02 AM
hi. i have already specified my private network on variable set. Firepower is internal and i added only private ranges that i use into variable set. i use 172.16.0.0 192.168.0.0 private range. But server on 172.16.0.1(for example) request 192.168.10.1 host. Portscan then detect as if there is anomaly occurs.
02-27-2019 03:53 AM
it could be a false positive. you can change the rules going into a snort rule and change according to your requirements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide