Dear All,

I'm trying to build some correlation rules on slow, persistent attacks
such as slow port scanning. What I'm thinking is firing on traffic which
hit twice per 30 seconds, 10 times within an hour. It doesn't mean that
I want to fire on 20 hits within an hour or 20 hits within 1 minute. I
understood that the existing Sentinel interface didn't provide me the
interface of doing that. But is there any work-a-round of doing this?


jackcheng's Profile:
View this thread: