Hi,
A few suggestions to make it work:
1- Simplify your match (taken from David's reply): If you are looking
for a word, just use match (much faster):
matchDuplicate TCP SYN from/match
2- A better solution would be to use the pix ID that you want:
id^4-419002/id
3- Do not write ignore rules
Hi Chris,
The location where the alert came from can be searched using the
hostname tag.
For example:
rule id=110007 level=0
if_sid1003, 31101, 1002/if_sid
hostnameerror_log/hostname
descriptionWeb log ignore./description
/rule
Basically, when you look at an alert it has:
