File input allows you to read IDMEF messages directly from files. This can be used to analyse outdated alerts. You will find this feature useful for filter tuning since the stream of alerts is reproducible it's easy to find the best set of rules for particular environment.
back