I need help here. We are getting numerous number of incident in one of our CS-MARS regarding Scans-Stealth system rule. This rule triggered by event type TCP FIN Host Sweep. The source ip's were internal our network and destined to external ip's of telco and other sites. One of the notable site is yahoo.com. I'm just wondering what causing these alerts to trigger, P2P or streaming?
According to this signature
TCP FIN Host Sweep
The host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network.
Exclude internal networks as sources.
Based on the signature this alert is not malicious unless the source ip is external. So, is it ok to tune this out or leave it and then always monitor? Sometimes it's quite annoying though.