Informer Rule Not Working Properly
Can anyone help me with this rule, it is not working properly:
This just creates a list of ip.dst and does not take any action on the "lookup and add". Anyone know why this isn't working?
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
If you are specifying your ip.src in your where clause why are you adding it back in with a lookup and add? Just curious.
There is no such thing as ip.dstport. You might want tcp.dstport
Payload and Packets are not indexed, so I don't think you will get those values back on the query.
when i do lookup and adds i always change each line to point to the previous
#lookup_and_add('ip.src','ip.dst',5); < was prob causing all the issues as it would return the same values if none of these lines below existed. >