Hi,
In SEIM, I can see some detection rules are triggered like although the related ports are already closed:
signal.rule.name: "Telnet Port Activity" (which works on port 23)
and
signal.rule.name: "SMTP on Port 26/TCP" (which works on port 26)
I tried to netcat them and they are triggered again although they are closed!
1- Why the rules are triggered although ports are closed?
2- how can I disable alerting on closed ports and keep it for open ones only?
Thanks in advance.
Regards,