Hi - question about a Sonicwall firewall. When any packet comes in, the firewall logs a "Connection opened", and then immediately following a "Connection closed" - instead of simply logging that the connection was refused or the packet was dropped.
I read somewhere on a forum that since the Sonicwall does further inspection before dropping an unwanted connection request, instead of logging that a packet was dropped, it first logs connection opened and then closed. Seems strange.
Bottom line: when QRadar sees all these "Connection Opened" events, it doesn't correlate them with the following "Connection closed" and understand there was actually effectively a connection refused, but rather believes that there are now open connections to unsavoury external IP addresses. Getting a lot of
Non-Servers Communicating with External IP Classified as Dynamic containing Connection Opened and
Local IRC Server Detected containing Connection Opened.
Any advice about tuning in this situation would be much appreciated.
------------------------------
Amir
------------------------------