NMAP ruleset are FP?

jul10l1r43 · September 5, 2024, 11:34am

Does anyone know why several rules that identified portscan were removed? 2009582 for example

# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

James · September 5, 2024, 12:59pm

Hey, the rule you referenced has not been removed or deleted, it is simply disabled. This was one of many rules that we have chosen to disable by default to improve the performance of the default ruleset before any curations are made.

Topic		Replies	Views
IDS and IPS rules on LAN Rule Signatures configuration , config , suricata , etopen	1	497	January 22, 2024
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	292	December 19, 2023
Ruleset Update Summary - 2023/06/16 - v10350 Ruleset Updates	1	195	June 16, 2023
Snort3, Snort2lua, and the Emerging Threats Snort 2.9 ruleset Show and Tell snort3 , snort2lua , etopen , etpro	2	3061	April 14, 2023
Ruleset Update Summary - 2024/04/26 - v10584 Ruleset Updates	0	215	April 26, 2024

NMAP ruleset are FP?

Related topics