We’ll use this ability to check its core rules anomaly score in the logging phase of the request. If it is 5 or higher (corresponding to an alarm or the critical level), we set the variable ip.logflag and via expirevar give it an expiration of 600 seconds. This means that this variable remains in the IP collection for ten minutes and then disappears on its own automatically. This mechanism is repeated for the outgoing anomaly score in the subsequent rule.
Where is that in the configuration?
Does expirevar:ip.logflag=600 do both at the same time?
Where is that in the configuration?
Does
expirevar:ip.logflag=600
do both at the same time?