I just wanted to question the usefulness of some of the internal rules which are setup to fire. These come from the LEM appliance and do not have any useful information other than the fact that these rules show up. I can't really gather any information from the Extraneous Info, as with some, because these only have "Inferred [...]" in that field.
Here are the ones that are like this for me:
- The 'UDPTrafficAudit with Unusual UDP Traffic Inference' rule fired
- The 'TCPTrafficAudit with possible Unusual TCP Traffic Inference' rule fired
- The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
- The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
- The 'TCPTrafficAudit Missing SYN Bit with possible Inference' rule fired
I know I can turn these off, so that is not my question. I'd like to know what these are useful for in my monitoring. I know what a port scan is and to what the SYN bit is referring, but the information presented in the event is not useful, as far as I can tell. Thanks!