AnsweredAssumed Answered

How to make correlation for horizontal IP scan.

Question asked by David Bursik on Oct 2, 2013
Latest reply on Oct 4, 2013 by David Bursik

Hi everyone,


I would like to create correlation or something what can fire an alert when horizontal ip scan is in progress.


I have found that there is virus on one computer in our enviroment which tryes to acces computers in our network on IPs with incremental condition (,,,...)


I tried to make correlation (inspired by IPv4 Vertical TCP Port Scan):


name="IPv4 Horizontal IP scan"

rule="tcp.dst exists"



timewin="1 min" type=correlation


But there is some problem with tcp.dst in treshold.


Mabye I am totally wrong and it should be done by diferent way...



Can somebody help me please?


Thanks in advance