On security issues, there are high intensity events - scanning - and low-intensity (or stealthy) events - periodic or not - that take place say once every few days. The high intensity can be detected quite easily. The question has to do with low or very low frequency events. The transaction command allows maxpsan parameter. Is there some way to define a minspan = x hours/days, with the intent to detect recurring events that exceed a given time interval measure in hour/day?
↧