Detection Rules Triggered although ports are closed!

ethical20 · March 8, 2021, 10:28am

Hi,

In SEIM, I can see some detection rules are triggered like although the related ports are already closed:

signal.rule.name: "Telnet Port Activity" (which works on port 23)

and

signal.rule.name: "SMTP on Port 26/TCP" (which works on port 26)

I tried to netcat them and they are triggered again although they are closed!

1- Why the rules are triggered although ports are closed?
2- how can I disable alerting on closed ports and keep it for open ones only?

Thanks in advance.

Regards,

system · April 5, 2021, 10:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detection Rules Triggered although ports are closed! SIEM detection-rules	1	375	April 1, 2021
Edit Telnet port Activity rule SIEM detection-rules	3	616	April 19, 2021
Detection Engine does not create Signals anymore Elastic Security detection-rules	1	574	December 1, 2021
"SMTP to Internet" signal detection rule is not fired up by Elastic SIEM SIEM	3	491	July 14, 2020
Threshold confusion (detecting a burst of connections on a specific port) Elastic Security	2	132	June 26, 2024