Swatch replacement

From Finninday
Jump to: navigation, search

Thursday, May 12th, 2005

I just learned that what I wanted to do with swatch is really event correlation. Imagine that. I just wanted to identify similar attacks from the same source within a window of time to automatically respond to them. Swatch is a favorite old tool of mine and I tried to make it work for this task, but I just couldn’t get the threshhold feature to work. So I looked around and found Simple Event Correlation. Very nice. But way more complex than I would like. Oh well, I just need a good article with lots of examples to help me understand it.

Retrieved from "https://finninday.net/wiki/index.php?title=Swatch_replacement&oldid=2282"