Sorry but i have question concerning "false positive" tuning. At the customer site we defined an user rule in order to monitor a dedicated switch; this works fine and the cs-mars produces incidents. Now for a demonstration (or better said for an acceptance test) i wanted to show how false positive handling works. I clicked on the false positive link (of such an incident) an got a new window where i had to check the message/event. Below this message i found further fields where i had to enter the IP address/mask and further Interfaces. I tried to enter the IP Adresse of the reporting switch or the cs-mars appliance. In both cases i only got a message, that this ip address is already registered. Huh? What went here wrong or better said do i understand something wrong?
Thanks and regards