On 9/13/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:
Isn't better the dst ip is always the agent (if agent-server) or the
machine (if local installation) and the src ip the ip that try to
connect or 127.0.0.1 if is something local ?
I believe that using this way is better to organize information at
BASE, right ?
I use srcip 0.0.0.0 To indicate that it may not be a network related alert ( like new user). If I would use 127.0.0.1 then I would be mixing real srcip alert from 127.0.0.1 of a network related alert like ssh from localhost
Please do not hesitate to continue the debate.
