Rules looking for IPs in reference sets, i.e. malicious IPs/BotNet etc. sometimes populate the first IP in a flow rather then the actual offending IP down further in the flow records, the Offense Type field will not get populated with the actual offending IP?
------------------------------
Thomas Fillmore
------------------------------