Hello Suricata Community!
I want to create a rule about network scan.This is my rule:
alert tcp any any -> any 22 (msg:"22 scan SYN"; flags:S; threshold: type both, track by_src, count 5, seconds 1; classtype:network-scan; sid:3000100; rev:1;)
I want to capture a source host send syn-pacp to five different destination hosts in a second,but my rule can not detect different destination hosts.
Are there any keywords that can solve this problem?
I don’t think you can easily check if one host has talked to multiple different hosts in the rule language.
Could probably be done using Lua, but I would rather see if there was a different approach I could take that would cater better to the Suriata rule language.
HI XuYuHan,
I haven’t tested this out but maybe flow keywords will help you out.
https://suricata.readthedocs.io/en/suricata-6.0.9/rules/flow-keywords.html
In this case setting flow: to_client, not_established might get you close to this. So you would be tracking by src, flow: to_client,not_established count, seconds, etc. You may be able to get something with setting the flowbit as well.