I try to use summarization for sweep-engine signatures. I use for my test signature 2100 "ICMP Network Sweep w/ECHO". I set unique parameter to 10 and Summary mode to "Fire All" with Summary Threshold set to 3. After that I made simple nmap ping-scan of network with 256 nodes.
I received 4 alerts with 10 addresses of scanned nodes and no summary alert at all.
I tried several parameters with no success at all. Every time I got several alerts with no summary.
Can anybody explain such behavior of the engine?
With best regards
P.S. I use version 6.2(1)E3 of IPS software.