Support need to be implemented so that it is possible to retrieve list of IDMEF value and assign multiple context for each retrieved value. For example, we might want to create multiple address context out of the content of alert.source().node.address().address.

When retrieving such an object, the IDMEF value API should be used in order to iterate the returned idmef_value_t object. We should then be able to bind these value to a specific action (in the example ahead $1* would mean to replicate the create action for each value contained in $1).

pattern = alert.source(*).node.address(*).address: (.*);
action = create TARGET_ADDRESS_$1*;

For example, if the resulting IDMEF value contain x.x.x.x and y.y.y.y, the action should expand to:

create TARGET_ADDRESS_x.x.x.x;
create TARGET_ADDRESS_y.y.y.y;