I would like to create correlation or something what can fire an alert when horizontal ip scan is in progress.
I have found that there is virus on one computer in our enviroment which tryes to acces computers in our network on IPs with incremental condition (xxx.xxx.xxx.1, xxx.xxx.xxx.2, xxx.xxx.xxx.3,...)
I tried to make correlation (inspired by IPv4 Vertical TCP Port Scan):
name="IPv4 Horizontal IP scan"
timewin="1 min" type=correlation
But there is some problem with tcp.dst in treshold.
Mabye I am totally wrong and it should be done by diferent way...
Can somebody help me please?
Thanks in advance