I wonder if anyone could explain the global summary thing to me again. I enabled my signature ?icmp time exceeded for a datagram sigid=2005?. My vms SecMon console now sometimes receives a global summary event for this signature. In the summary event we have the src and dst field recorded. Each time the GS event is received in the console it is the same src and dst. I ran ?packet display? from the CLI of the sensor and I have absolutely no icmp traffic from that src that I received in the GS event.
Could you tell me if the src address is the actual address that triggered the G. summary or do we just ignore the src an dst in this case.