On 9/14/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:
Why not? the agent is the dst ip. sort by dstip.
The dst ip is the one who has logged the event
my idea to use the real ip instead 0.0.0.0 is to organize the alerts at
base ...
for example, i have a server that monitor many agents ... using base for
analise the alerts, i can' t order by host, the alerts are mixed ...
Why not? the agent is the dst ip. sort by dstip.
if use the dstip like real ip, i can go to dest ip addrs -> select an ip
and i got all the alerts from that host, it's possible make this
comparison that you explain using the srcip like 0.0.0.0 or real ip ...
and src ip is either a know network real IP or null if unknown or not network related.
