[Oisf-users] IP Reputation Continual Alerting
Andreas Herz
andi at geekosphere.org
Sat Apr 1 19:52:18 UTC 2017
On 30/03/17 at 13:20, Kerry Milestone wrote:
> Hello,
>
> I have a rule which looks like:
>
> alert ip $REP_LOCAL_NET any -> any any (msg:"carnage - Internal host
> talking to FirstCull"; flow:to_server; iprep:dst,FirstCull,=,10;
> sid:987654; rev:1;)
>
> However, I can't seem to work out the trigger. The docs state that it
> "will only be checked once per flow-direction."
Could you share or create a pcap that we could use for
testing/debugging?
--
Andreas Herz
More information about the Oisf-users
mailing list