Hello Community,
I have the following ESA rule to detect portscan :
@RSAAlert(oneInSeconds=0)
SELECT * FROM Event
(
device_type='snort'
AND ip_dstport=137
)
.std:groupwin(ip_src)
.std:unique(ip_dst)
.win:time(60 sec)
GROUP BY ip_src HAVING count(ip_dst) > 3;
But when I do a test (a portscan, from the same source, on 4 different IP and on the port 137) , I have lots of ESA alerts : something like 10 alerts. These alerts match the same ip_src and the same ip_dst
However, if I choose to use a batch time windows (win:time_batch(60 sec) , I'm not flooded by ESA alerts. I have only one alert which corresponds to my test.
Do you know if this is normal ? And would you be aware of any way to avoid this flood when using sliding time windows ?
I would prefer use sliding time windows to avoid to miss some alerts if events trigger between 2 batch time windows...
Thanks for your help ! :-)
Hi this is normal. I would recommend putting some suppression on your rule to limit the amount of alerts it will generate. For example
https://rsaportal.force.com/customer/articles/How_To/Example-Advanced-ESA-Rule-which-shows-suppression-on-multiple-variables-in-RSA-Security-Analytics
Create an Advanced Event Stream Analysis rule with the following content:
The rule does the following:
The retain-intersection command ensures that only events matching ALL three of these criteria are forwarded.