[Emerging-Sigs] Rule dupe, well msg anyway. Is that allowed?
bamm.visscher at gmail.com
Wed Dec 12 07:58:36 HAST 2012
<buddytheelf>No it doesn't.</buddytheelf>
Sguil does aggregate alerts based on unique source IP address and event
message, but if you display the rule, it uses the sid:gid:rev to pull the
correct one. The aggregation was done that way on purpose, so the analyst
(aka me) could write 10 different rules to catch phf attacks and all be
correlated in the console under one event.
Shane needs to get on the "Do More Aggregation" bandwagon.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs