Hello,
I'm trying to create a search that will allow me to search a subnet for requests made from a single source IP to more than X amount of destination IPS.
for example,
if 10.10.10.10 sends traffic over port 445 to all the devices in the range 10.10.10.11- 10.10.10.50 therefore 40 different Destinations
and 10.10.10.20 sent traffic over port 445 to 10.10.10.70 and 10.10.10.66 therefore 2 different destinations.
I wouldn't want to see the traffic sent from 10.10.10.20 as the total number of destination IPs is too low.
Is it possible to do something like:
src_ip=10.10.10.0/24 dest_port=445 dest_ip_count>=10
src_ip=10.10.10.0/24 -- Range of IPs I want to search for traffic on
dest_port=445 -- Port the traffic is being sent on
dest_ip_count>=10 Theoretical parameter that filters out source IPs not sending traffic to 10+ different devices
Thanks
↧