Please forgive the seemingly ingorant question. "In 2.5 and later versions the ip log gets created when the first packet from that source is captured" Is this the packet that tripped the alarm/signiture? When comparing iplogs to ip addresses for shun...