I get a lot of alerts with this rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
This rule is supposed to generate an alert if it detects 5 or more SSH scans in 120 seconds. In my analysis, i noticed that, in this particular example, some external address is generating traffic to one internal IP:
We can see that the traffic is composed of 14 packets is is enough to generate the alert. But, when i check the alert info it shows this (only 1 packet):
How can i explain this behaviour?
Thanks in advance