I believe that would be the same for if_matched_group. I haven't done any testing with if_matched_group yet, so I don't know much about it.
On Mon, Jul 11, 2011 at 11:31 AM, BP9906 <[email protected]> wrote: > Thanks Dan, that makes more sense. > > Would that be the same for <if_group> vs <if_group_matched> ? Also, > how does if_group_matched figure into if_matched_sid? It seems as > though as events come in the group list counting isnt every alert > being processed; meaning the alert would either be added to the sid > match composite rule counts OR the group match composite rule counts. >
