Hi, currently I am using t-shark to capture my log on my host and I would like to capture a port scan attack while I am doing my normal stuff on my host like surfing the net.
I plan to identify the attack by the amount of port being access per 30 sec. On top of that I would like to used if the number of source ip and destination ip equal to 172.20.180.27 and 172.20.180.12 packet appear to be the same amount or exceed a certain range, it would prompt an alert.
Is it workable? If not, are there any Solution??