For reasons similar to masscan, it is worth investigating if Nmap is discovered on an unexpected host.

rule nmap
{
	meta:
		description = "Nmap network scanner"
		reference = "https://nmap.org"

	strings:
		$ = "Usage: nmap [Scan Type(s)] [Options] {target specification}"

	condition:
		all of them
}

YARA Rules Index