Nemea-Detectors icon indicating copy to clipboard operation
Nemea-Detectors copied to clipboard

Published 20 hours ago verified publisher icon CESNET

Horizontal scan detector address aggregation

Open thorgrin opened this issue 6 years ago • 0 comments

This is feature request. Would it be possible to devise an algorithm to aggregate IP addresses for some detection modules, most importantly the horizontal scan detection to whole subnets?

The reason is that when an attacker scans an entire /16 network, we only see a handful of IPs. Reporting subnets would make a lot of sense here. I can imagine that reporting subnets with > 90+% scanned would be really useful.

thorgrin avatar Jul 12 '18 14:07 thorgrin