From fcfce03d827a8eeb8f890fb5bb0cefe433d12b7b Mon Sep 17 00:00:00 2001
From: Aleksi Bovellan <53447593+aleksibovellan@users.noreply.github.com>
Date: Fri, 10 May 2024 19:01:09 +0300
Subject: [PATCH] Updated README.md

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6a3d2d0..5243319 100644
--- a/README.md
+++ b/README.md
@@ -42,8 +42,8 @@ IMPORTANT: If a previous customized "local.rules" file exists in your Suricata (
 - These rules might also detect other port scanners than NMAP, which happen to use the same or very similar kind of packets.
 - After loading these rules, expect to see alerts triggered from WAN interface as the result of everyday scanning and probing, legal and illegal. Use "whois IP" and IP tracing websites to find out more about those scanners. (Many times they hide behind some VPNs or cloud servers, though)
 - These rules may very seldom react to some legit self-made connection attempts, which just happen to resemble NMAP packets, and/or are sent in a too rapid rate to be ignored safely.
-- Some of the new detection rules concerning more regular types of network traffic, like the SYN-ACK 3-WAY scan (-sT) and ACK scan (-sA), had to be throttled back a bit in their speeds, up to T2-T3, to avoid unnecessary false alarms from legit traffic. And even regardless of that, some of the very most common ports still took hits during stress-testing, so a few of those most common ports just had to be excluded all together to make the rules work in any sensible way.
-- Sometimes by lucky accident, your device chooses its ephemeral source port to be 4444, which leads to the destination service to respond with that port being the destination port number, and that connection might get flagged as "possible shell metasploit" connection - which it is note. For that reason, some of the most common ports have been excluded from that rule. Just something to be aware of.
+- Sometimes by lucky accident, your device chooses its ephemeral source port to be port number 4444, which leads to the destination service responding to connect back to that port number as its destination, and that connection might get flagged as "possible shell metasploit" connection - which it is not. For that reason, some of the most common ports have been excluded from that rule. Just something to be aware of.
+- Some of these new (version 2.01) NMAP detection rules concerning more regular types of network traffic, like the SYN-ACK 3-WAY scan (-sT) and ACK scan (-sA), had to be throttled back a bit, up to T2-T3, to avoid unnecessary false alarms from legit traffic. And even regardless of that, some of the very most common ports still took hits during stress-testing, so a few of those most common ports just had to be excluded all together to make the rules work in any sensible way.
 
 ## CROWDSEC COMPATIBILITY