module Module_564eeceae4b06807f34ebd2d; @RSAPersist @Name('Module_564eeceae4b06807f34ebd2d_Alert') @Description('') @RSAAlert(oneInSeconds=0) @Hint('reclaim_group_aged=10,reclaim_group_freq=30') SELECT ip_src, ip_dstport, device_type, ip_dst FROM Event( /* Statement: CheckPoint */ (device_type IN ( 'checkpointfw1' ) AND ip_src is not null AND ip_dstport is not null AND ip_dst is not null) ).std:groupwin(ip_src,ip_dstport).win:time(3600 seconds).std:firstunique(ip_src,ip_dstport) retain-intersection
@RSAAlert SELECT window(*) FROM Event ( device_type='snort' AND ip_dstport=137 ).win:time(60 sec) GROUP BY ip_src HAVING count(ip_dst) > 3 output first every 30 min;