I believe that would be the same for if_matched_group.
I haven't done any testing with if_matched_group yet, so I don't know
much about it.
On Mon, Jul 11, 2011 at 11:31 AM, BP9906 wrote:
> Thanks Dan, that makes more sense.
>
> Would that be the same for vs ? Also,
> how does if_group_matched
Thanks Dan, that makes more sense.
Would that be the same for vs ? Also,
how does if_group_matched figure into if_matched_sid? It seems as
though as events come in the group list counting isnt every alert
being processed; meaning the alert would either be added to the sid
match composite rule
On Fri, Jul 8, 2011 at 11:29 AM, dan (ddp) wrote:
>
> if_sid: For this log message, is sid XXX a valid match>
> if_matched_sid: Has sid YYY matched a recent log message (but not
> necessarily this one)?
>
This is simplistic and partly wrong.
if_sid is basically correct. If sid XXX matches the cu
On Thu, Jul 7, 2011 at 12:36 PM, BP9906 wrote:
> I'm wondering the same thing. Whats the difference between the 2
> anyway?
>
if_sid: For this log message, is sid XXX a valid match>
if_matched_sid: Has sid YYY matched a recent log message (but not
necessarily this one)?
> I'm ultimately trying
I'm wondering the same thing. Whats the difference between the 2
anyway?
I'm ultimately trying to have 2 frequency rules and the second one
doesnt fire. I suspect its something to do with the if_sid or
if_matched_sid.
On Jun 27, 2:09 pm, "dan (ddp)" wrote:
> Hi Jason,
>
> On Mon, Jun 27, 2011 at
