Hi all,

Does anyone can explain the difference between 'w.sip = e.sip' and
'e.sip = w.sip' from window() function?
for example:
Rule 1:
filter(e.rv32="DB") flow window(*w.dun = e.dun*, filter(e.rv32="OS"),
3600) flow trigger(3,600)
Rule 2:
filter(e.rv32="DB") flow window(*e.dun = w.dun*, filter(e.rv32="OS"),
3600) flow trigger(3,600)

I wanna know if rules are the same. I saw some examples like these but
not sure if it's the same behavior inside correlation engine.


--
lliu
------------------------------------------------------------------------
lliu's Profile: https://forums.netiq.com/member.php?userid=2059
View this thread: https://forums.netiq.com/showthread.php?t=47589