AnsweredAssumed Answered

Informer Rule Not Working Properly

Question asked by NTRSPhil on Feb 25, 2014
Latest reply on Feb 28, 2014 by mwdombrowski

Can anyone help me with this rule, it is not working properly:

 

Select: ip.dst

Where: ip.src=10.10.10.10

Then:
     lookup_and_add('ip.src','ip.dst',5);

     lookup_and_add('size','ip.dst',5);

     lookup_and_add('ip.dstport','ip.dst',5);

     lookup_and_add('payload','ip.dst',5;);

     lookup_and_add('packets','ip.dst',5;);

 

This just creates a list of ip.dst and does not take any action on the "lookup and add".  Anyone know why this isn't working?

Outcomes