We have deployed CSS-SCA Secure Content Accelerator to terminate the SSL connectiion from the clients and the traffic between CSS-SCA and servers is HTTP on port/80. Our IPS sensors (deployed in detection mode) see this HTTP traffic and triggers alarms, but the source IP shows up as CSS-SCA device and the destination are our servers as the SSL connection is terminated in SCA. How do we handle this scenario and figure out who the attcker is? We are currently not forwarding logs from CSS-SCA to CW-SIM (Netforensics). Even if I have access to SCA logs, how do I link this alarm to a particular client (external IP)? There could be multiple clients talking to our server at the same time!! Is Cisco MARS SCA aware and can it handle this scenario well by correlating with SCA logs?