Thanks Michael. I guess that means that in the actual alert, once it triggers, the alert will come from whatever box it got triggered at?
So if I have web1, web2, web3 and web 4, and have a rule setup to send an alert after the same IP is seen 3 or more times, and the request goes as such: GET web1/index.html GET web2/index.html GET web3/index.html *GET web4/index.html* Then the one I put in bold will always show up as the one sending the alert no? Or the source of the alert may get shuffled eventually if it's a one-off type of thing. Am I roughly right in my understanding? If this is the case, this could become somewhat misleading and not work out so well for AR (especially if it's setup to fire locally per box where the source alert came from). Basically, if an alert based on same source IP across multiple servers is triggered, I'd want to be able to see *all* the servers that were touched by that IP leading up to the alert. Maybe I'm still missing something... On Wed, Jul 6, 2011 at 5:30 PM, Michael Starks <[email protected] > wrote: > On 07/06/2011 04:08 PM, jplee3 wrote: > >> Hi all, >> >> I was wondering if frequency matching with same_source_ip is supposed >> to work across multiple agents or if it is limited to triggering based >> on a single agent? >> > > Hi, > > It will work regardless of the location. Of course, you can use > same_location to further restrict this if that is what you need. > > -Mike >
