Incidents: Difference between revisions

Jump to navigation Jump to search

Incidents (view source)

Revision as of 14:07, 19 December 2022

880 bytes added ,  19 December 2022
→‎Add/modify a rule
(added the aggregation-feature to the documentation.)
Line 40: Line 40:
* Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels".  Up to ten channels can be selected so that the incident for this rule is reported on each channel.  Also, no channel can be configured so the incident is only accessible on the web interface.
* Report channel: Incidents are always visible in the web interface, but can also be reported via multiple channels which can be configured separately in the tab "Configuration of notification channels".  Up to ten channels can be selected so that the incident for this rule is reported on each channel.  Also, no channel can be configured so the incident is only accessible on the web interface.
* Aggregation: Incidents are aggregated by default. This means the table only shows the number of incidents of the type and the timestamps of the first and the last  incident. This can be disabled for most of the incidents, so that you are able to see every indent of the incident-type.
* Aggregation: Incidents are aggregated by default. This means the table only shows the number of incidents of the type and the timestamps of the first and the last  incident. This can be disabled for most of the incidents, so that you are able to see every indent of the incident-type.
* Traffic capturing [since version >= 3.7]: If supported by the trigger, the rule can be configured to capture the network traffic triggering the rule, including some extra time before and after the incident.
** Possible options:
*** Disabled: capturing is disabled for this rule
*** Live traffic: capturing happens only for live network traffic
*** Replay traffic: capturing happens only for replayed network traffic (from PCAP files)
*** Always: capturing happens in all traffic processing types.
** Extra capture time: configure the number of seconds before the start of the incident and after the end of the incident.
*** If a timespan parameter is used for attributes, the capture time includes this time duration as well.
** The traffic is automatically filtered to only contain the traffic that actually triggered the rule, i.e., an IP address or an IP group for IP rules.


=== Available triggers ===
=== Available triggers ===
Ralf
547

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/4136"

Navigation menu