Alerts in A Plug-In (Multi/Single Domain)

Question

Alerts in A Plug-In (Multi/Single Domain)

Closed this issue 12 years ago · 0 comments

During parsing the output an intelligent check should be done. First the output includes an IP address belonging to a Plug-In registered to same QS (other than this Plug-in running the queries) a Multi-Domain alert.

For single domain alert, the check should be dependent. The IP addresses of the output should be check if they belong to the Plug-In which runs the query. But, if the running query includes src_ip, only the dst_ips should be check. If the running query includes dst_ip, only the src_ip should be check. If running query includes src_ip and dst_ip, nothing will be checked. If running query does not include src_ip or dst_ip, both src_ip and dst_ip will be checked. If a match occurs after this check, a single domain alert should be generated