Been getting some new intrusion events the past two days which I believe are false positives; or atleast not a true indication of the exploit it is detecting. Digging into what is triggering the event I am thinking that the Snort rule implemented in Firepower is not correct. According to the article by FireEye which details the exploit, and provides the Snort rule for detecting it, the source ports are explicitly listed:

alert tcp any [21,22,23,25,53,80,443,8080] -> any !3389 (msg:"RDP - HANDSHAKE [Tunneled msts]"; dsize:<65; content:"|03 00 00|"; depth:3; content:"|e0|"; distance:2; within:1; content:"Cookie: mstshash="; distance:5; within:17; sid:1; rev:1;)

Which makes sense because the initial connection would initiate outbound from a compromised internal host. However, in Firepower the source port is defined as any:

alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 ...

From my understanding of the exploit the internal host would initiate the connection outbound, so when the attacker tunnels the RDP traffic through the connection the source port would be a well known port such as those listed in the FireEye Snort definition.

The events I am getting are initiated externally destined to some public facing hosts - source port is random high, and the destination ports are ones allowed through my firewall for these public servers. Because the connection is originating from the outside, and not from an internal, already compromised host this traffic wouldn't have any impact; atleast from the perspective of this particular exploit. Aside from trying to determine if an IPS is present, I am unsure why someone would be scanning for this.

Am I thinking of this correctly, or am I missing something?

-Thanks