You cannot do this in ether case AFAICT. What you might be able to do is configure the action for all inspection rules to send a syslog to the ip address of the MARS box. Then create a "keyword" inspection rule to specifically fire based on the severity shown in the syslog message. Here is an example of what the syslogs look like:
<34>Mon Jan 7 13:51:08 2008 %MARS-1-101: Rule 205795 (Local Administrators group - membeÂrship modified) fired and caused yellow Incident 747340504, starting from Mon Jan 7 13:50:57 2008 tÂo Mon Jan 7 13:50:57 2008
The rule name is "Local Administrators group - membership modified" and the Severity of the incident is yellow.