What are you using for "virus rules"?
Typically just filtering based on a single port number is prone to a LOT of false positives and is not recommended. From the best I can tell, your "virus" in example 1 is someone's phone making an ssl connection back to their company's webpage (most likely Exchange ActiveSync).
My general rule with "virus" filters is don't use them unless you explicitly understand how and what they are flagging and have a reason to be flagging it. If you couldn't write that rule yourself, it will probably just cause you trouble down the road, ESPECIALLY with port based filters. Since most viruses change ports now anyway, it really defeats the point even more so.
That said, it isn't a bad idea to have a few logging things just to keep an eye on certain "high value" indicators. Watching for excessive use of SMTP (TCP 25), Windows File Sharing (TCP 445,139 & UDP 137,138), and maybe MS SQL (TCP 1433,1434). Again, some traffic on these is normal or can be simple misconfigurations. What you want to look for is things like 10 new connections in a 30 second window, which indicates something actively scanning and looking for outside hosts.
Yea they are port based. I setup these rules based off an online course for Mikrotik I had found. I figured false positives would be pretty high with this method. Has someone scripted a better set of rules out there that really can detect them in a better manner? Here are my firewall rules. Thanks!
add action=log chain=input comment="Log SSH brute force" disabled=no \
log-prefix="SSH BRUTE FORCE" src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=22 protocol=tcp src-address-list=\
ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=22 protocol=tcp
add action=log chain=forward comment="log virus spammer" disabled=no \
log-prefix="INTERNAL VIRUS" src-address-list=spammer
add action=drop chain=virus comment="Drop Spammer" disabled=no dst-port=25 \
protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=spammer address-list-timeout=1d \
chain=virus comment="add to spammer list" connection-limit=30,32 disabled=\
no dst-port=25 limit=50,5 protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no \
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=log chain=forward comment="Log port scanners" disabled=no \
log-prefix="PORT SCANNER" src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" disabled=no \
src-address-list="port scanners"
add action=log chain=forward comment="Log brute force rdpers" disabled=no \
dst-port=3389 log-prefix="RDP BRUTE FORCE" protocol=tcp src-address-list=\
rdp_blacklist
add action=drop chain=forward comment="Drop brute force rdpers" disabled=no \
protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=1w3d chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=\
rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=\
rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=3389 protocol=tcp src-address-list=\
rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=forward disabled=no dst-address=1.1.1.1 \
dst-port=3389 protocol=tcp
add action=log chain=forward comment="Log brute force ftpers" disabled=no \
dst-port=21 log-prefix="BRUTE FORCE FTP" protocol=tcp src-address-list=\
ftp_blacklist
add action=drop chain=forward comment="Drop brute force ftpers" disabled=no \
dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ftp_blacklist \
address-list-timeout=1w3d chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=\
ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
address-list-timeout=30s chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=\
ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
address-list-timeout=30s chain=forward connection-state=new disabled=no \
dst-address=1.1.1.1 dst-port=21 protocol=tcp src-address-list=\
ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
address-list-timeout=30s chain=forward disabled=no dst-address=1.1.1.1 \
dst-port=21 protocol=tcp
add action=accept chain=forward comment="allow established connections" \
connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" \
connection-state=related disabled=no
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid disabled=no
add action=log chain=forward comment="Log Blaster Worm" disabled=no dst-port=\
135-139 log-prefix="BLASTER VIRUS ON TCP" protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
135-139 protocol=tcp
add action=log chain=forward comment="Log Blaster Worm" disabled=no dst-port=\
445 log-prefix="BLASTER WORM VIRUS" protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=\
445 protocol=udp
add action=log chain=forward comment="Log Unknown Virus" disabled=no dst-port=\
593 log-prefix="UNKNOWN VIRUS" protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=\
tcp
add action=log chain=forward comment="Log Unknown Virus" disabled=no dst-port=\
1024-1030 log-prefix="UNKNOWN VIRUS" protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 \
protocol=tcp
add action=log chain=forward comment="Log MYDOOM virus" disabled=no dst-port=\
1080 log-prefix="MYDOOM VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 \
protocol=tcp
add action=log chain=forward comment="Log Unknown Virus" disabled=no dst-port=\
1214 log-prefix="UNKNOWN VIRUS" protocol=tcp
add action=drop chain=virus comment=________ disabled=no dst-port=1214 \
protocol=tcp
add action=log chain=forward comment="Log NDM requester" disabled=no dst-port=\
1363 log-prefix="NDM VIRUS" protocol=tcp
add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 \
protocol=tcp
add action=log chain=forward comment="Log NDM Server Virus" disabled=no \
dst-port=1364 log-prefix="NDM SERVER VIRUS" protocol=tcp
add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 \
protocol=tcp
add action=log chain=forward comment="Log Screen Cast Virus" disabled=no \
dst-port=1368 log-prefix="SCREEN CAST VIRUS" protocol=tcp
add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 \
protocol=tcp
add action=log chain=virus comment="Log HROMGRAFX Virus" disabled=no dst-port=\
1373 log-prefix="HROMGRAFX VIRUS" protocol=tcp
add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 \
protocol=tcp
add action=log chain=forward comment="Log Cchlid Virus" disabled=no dst-port=\
1377 log-prefix="CICHLID VIRUS" protocol=tcp
add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=\
tcp
add action=log chain=forward comment="Log Worm Virus" disabled=no dst-port=\
1433-1434 log-prefix="WORM VIRUS" protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 \
protocol=tcp
add action=log chain=forward comment="Log Bagle Virus" disabled=no dst-port=\
2745 log-prefix="BAGLE VIRUS" protocol=tcp
add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 \
protocol=tcp
add action=log chain=forward comment="Log Dumaru.Y Virus" disabled=no dst-port=\
2283 log-prefix="DUMARU.Y VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 \
protocol=tcp
add action=log chain=forward comment="Log Beagle Virus" disabled=no dst-port=\
2535 log-prefix="BEAGLE VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 \
protocol=tcp
add action=log chain=forward comment="Log Beagle.C-K Virus" disabled=no \
dst-port=2745 log-prefix="BEAGLE.C-K VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 \
protocol=tcp
add action=log chain=forward comment="Log MyDoom Virus" disabled=no dst-port=\
3127-3128 log-prefix="MYDOOM VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=\
3127-3128 protocol=tcp
add action=log chain=forward comment="Log Backdoor OptixPro Virus" disabled=no \
dst-port=3410 log-prefix="BACKDOOR OPTIXPRO VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no \
dst-port=3410 protocol=tcp
add action=log chain=forward comment="Drop Worm Virus" disabled=no dst-port=\
4444 log-prefix="WORM VIRUS" protocol=tcp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=log chain=forward comment="Drop Worm Virus" disabled=no dst-port=\
4444 log-prefix="WORM VIRUS" protocol=udp
add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=log chain=forward comment="Log Sasser Virus" disabled=no dst-port=\
5554 log-prefix="SASSER VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 \
protocol=tcp
add action=log chain=forward comment="Drop Beagle.B Virus" disabled=no \
dst-port=8866 log-prefix="BEAGLE.B VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 \
protocol=tcp
add action=log chain=forward comment="Log Dabber.A-B Virus" disabled=no \
dst-port=9898 log-prefix="DABBER.A-B VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 \
protocol=tcp
add action=log chain=forward comment="Log Dumaru.Y Virus" disabled=no dst-port=\
10000 log-prefix="DUMARU.Y VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 \
protocol=tcp
add action=log chain=forward comment="Log MyDoom.B Virus" disabled=no dst-port=\
10080 log-prefix="MYDOOM.B VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 \
protocol=tcp
add action=log chain=forward comment="Log Netbus Virus" disabled=no dst-port=\
12345 log-prefix="NETBUS VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 \
protocol=tcp
add action=log chain=forward comment="Log Kuang2 Virus" disabled=no dst-port=\
17300 log-prefix="KUANG2 VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 \
protocol=tcp
add action=log chain=forward comment="Log Subseven Virus" disabled=no dst-port=\
27374 log-prefix="SUBSEVEN VIRUS" protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 \
protocol=tcp
add action=log chain=forward comment="Log Phatbot, Agobot, Gaobot Virus" \
disabled=no dst-port=65506 log-prefix="PHATBOT, AGOBOT, GAOBOT VIRUSES" \
protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no \
dst-port=65506 protocol=tcp
add action=accept chain=forward comment="Allow HTTP" disabled=no dst-port=80 \
protocol=tcp
add action=accept chain=forward comment="Allow SMTP" disabled=no dst-port=25 \
protocol=tcp
add action=accept chain=forward comment="allow TCP" disabled=no protocol=tcp
add action=accept chain=forward comment="allow ping" disabled=no protocol=icmp
add action=accept chain=forward comment="allow udp" disabled=no protocol=udp
add action=drop chain=forward comment="drop everything else" disabled=no