In
In operation of the SSIM against a diverse range of equipment I have found the default rules have some things that should be obvious have not been added into the rules. I am posting this in the hope we can get a discussion going sharing rules improvements made. Maybe this can even make it back into the Symantec default rules ?
Rule: IRC Bot Net
OR IP Destination Port = 6667
IP Destination Port = 6666
IP Destination Port = 7000
This rule only detects on the basis of port = 6666,6667,7000. It produces false positive from Cisco ASA closing any connection which may have originated from those port numbers to a legitimate port. It also detects blocked inbound attempts, which really don't matter.
I have ANDed this group with the following checks
AND IP Source Port IS NOT IN Authorized_Ports_Outbound ,
and added some standard outbound port numbers to that lookup list 80,443,53,123
OR Option 2 ≠ drop OR Network Traffic Direction ≠ Inbound
Rule: Block Scan
AND Mechanisms DOESNT CONTAIN Port Sweep
Source Host Policies DOESN'T CONTAIN Firewall
Source Host Policies DOESN'T CONTAIN Proxy
Mechanisms CONTAINS Port Scan
So this rule picks up a false positive when there are any probes from Vulnerability Scanners. Interestingly, Symantec have added the following to the rule Web Vulnerability Scan, but not the others !! ???? So I very simply customised in the same way the following rules:
Rule: Vulnerability Scan Detector
Rule: Port Scan Detector
Rule: Ping Scan Detector
Rule: Internal Port Sweep
Rule: External Port Sweep