AnsweredAssumed Answered

ESA alert is flooding when using sliding time window

Question asked by Bwy4GgAhxvlUflMJfjPdriPLUqjZDfCRNZju5x6WmBE= on May 11, 2016
Latest reply on Jun 1, 2016 by Bwy4GgAhxvlUflMJfjPdriPLUqjZDfCRNZju5x6WmBE=

Hello Community,

 

I have the following ESA rule to detect portscan :

 

@RSAAlert(oneInSeconds=0)

SELECT * FROM Event

(

device_type='snort'

AND ip_dstport=137

)

.std:groupwin(ip_src)

.std:unique(ip_dst)

.win:time(60 sec)

GROUP BY ip_src HAVING count(ip_dst) > 3;

 

But when I do a test (a portscan, from the same source, on 4 different IP and on the port 137) , I have lots of ESA alerts : something like 10 alerts. These alerts match the same ip_src and the same ip_dst

 

However, if I choose to use a batch time windows (win:time_batch(60 sec) , I'm not flooded by ESA alerts. I have only one alert which corresponds to my test.

 

Do you know if this is normal ? And would you be aware of any way to avoid this flood when using sliding time windows ?

 

I would prefer use sliding time windows to avoid to miss some alerts if events trigger between 2 batch time windows...

 

Thanks for your help ! :-)

Outcomes