Rule for alerting scan based on count

is there way to detect network scan based only on count of incoming packets/connections, not on payload? For example alert when in 60s came from one source ip 5 packets to different destination ips. Might lua script be used for it?

I would suggest first writing a rule that matches on all connections (e.g. by looking for a TCP SYN flag), then once that works look into thresholding:

OK, but it shouldn’t match when 5 packets come to the same dest IP, but only when 5 packets come to 5 different IPs…is there any way to do this?