Looks like my email response got cutoff. Reposting the full response in the Discourse Web which explains it:
Hi Jason,
Looking at these rules, I see a few problems:
- They lock it down to a specific IP address, which yes could be used to detect scans, but might not be a good for the general ruleset from an FP perspective.
- They do not actually affirmatively identify NMAP, they may identify the technique, but it could be any tool using the same scan.
- There isn’t any thresholding, which will result in FP’s for at least some of these signatures.
Still, I’ll inquire with our threat research team to see if there’s anything we can do to detect the techniques in a reliable manner.
Regards,