Hi,
is there way to detect network scan based only on count of incoming packets/connections, not on payload? For example alert when in 60s came from one source ip 5 packets to different destination ips. Might lua script be used for it?
I would suggest first writing a rule that matches on all connections (e.g. by looking for a TCP SYN flag), then once that works look into thresholding: https://suricata.readthedocs.io/en/suricata-5.0.3/rules/thresholding.html
OK, but it shouldn’t match when 5 packets come to the same dest IP, but only when 5 packets come to 5 different IPs…is there any way to do this?