Hello Community,
I have the following ESA rule to detect portscan :
@RSAAlert(oneInSeconds=0) SELECT * FROM Event ( device_type='snort' AND ip_dstport=137 ) .std:groupwin(ip_src) .std:unique(ip_dst) .win:time(60 sec) GROUP BY ip_src HAVING count(ip_dst) > 3; |
But when I do a test (a portscan, from the same source, on 4 different IP and on the port 137) , I have lots of ESA alerts : something like 10 alerts. These alerts match the same ip_src and the same ip_dst
However, if I choose to use a batch time windows (win:time_batch(60 sec) , I'm not flooded by ESA alerts. I have only one alert which corresponds to my test.
Do you know if this is normal ? And would you be aware of any way to avoid this flood when using sliding time windows ?
I would prefer use sliding time windows to avoid to miss some alerts if events trigger between 2 batch time windows...
Thanks for your help ! 🙂
