Now I'm doing a port scan alert Policy.
Port scanning is a hacker's attack method。I can see its activity track in the firewall。I can see the source IP(scan_sip), source port and destination IP(scan_dip), destination port。Too many ports connected log on the firewall。
I passed the following method to extract the port scan behavior.
Set a time range, for example: 60s. And the interval between each event can not be greater than 7s. There are more than 40 elements in the collection. I think he is port scan, how do i search for such events?
I only need scan_sip, scan_dip, the number of elements in the collection
use "transaction"?
... View more