Hi, I am trying to log the different attempts of attacks such as a tcp port scan, a udp port scan, a syn flood attack, ... arriving at a computer. I would like to classify attacks received in sections such as warning and critical. Warning would be port scans and critical syn flood attacks. However, I don't get the necessary rules to be able to differentiate a syn flood attack of a tcp port scan. Is it possible to differentiate a nmap tcp port scan from a syn flood attack? I am using Ubuntu 18.04 with Kernel 4.18. Thanks in advance,