Hi,

i need to develop a new correlation rule that catch port scan activity
from same source IP to different destIP.

This is my original sample:

filter(((e.CollectorNodeName = "MyFirewall")) AND ((e.EventName = "Deny
protocol")) AND ((e.TargetPort = 445))) flow
trigger(10,15,discriminator(e.SourceIP))

but this rule fire up even i haven't different tgIp....

how i can develop with windows?


--
alessandroBE
------------------------------------------------------------------------
alessandroBE's Profile: https://forums.netiq.com/member.php?userid=3860
View this thread: https://forums.netiq.com/showthread.php?t=48237