On Jan 25, 2016, at 14:08 , Adam Armstrong <adama@memetic.org> wrote:

It's often useful to include screenshots of the relevant parts when asking these kinds of things. It’s not uncommon for what people to write in emails not to match what they think they wrote in the alert checker :D

Copy that. I’m not used to attachments on mailing lists. :-)

"ifType eq ethernetCsmacd" is definitely a valid entity match, and should match the majority of ports on most networks!