I have the following ESA rule to detect portscan :
SELECT * FROM Event
GROUP BY ip_src HAVING count(ip_dst) > 3;
But when I do a test (a portscan, from the same source, on 4 different IP and on the port 137) , I have lots of ESA alerts : something like 10 alerts. These alerts match the same ip_src and the same ip_dst
However, if I choose to use a batch time windows (win:time_batch(60 sec) , I'm not flooded by ESA alerts. I have only one alert which corresponds to my test.
Do you know if this is normal ? And would you be aware of any way to avoid this flood when using sliding time windows ?
I would prefer use sliding time windows to avoid to miss some alerts if events trigger between 2 batch time windows...
Thanks for your help ! :-)