Ok, I am not sure how this is happening but here is my issue. Currently I setup notifications via email alerts whenever a certain rule fires. The issue I am having is that I am getting an e-mail alert for a rule that I cannot find. I am looking under the inspection rule tab, in the All group. I have it set to list 1000 rules, ( even though I dont have that many ) and I am looking at the active and inactive rules and cant find the rule.
The interesting part is in the notification it mentions the status as "edited"
Rule Name: System Rule: Network Activity: Excessive Denies - Host Compromise Likely-Sep 9, 2008 4:23:24 PM EDT Status: Edited
Action: E-mail alert to MarsAdmins Time Range: 0m:05s
Description: This correlation rule detects a large frequency (excess of 10/sec) of denies from a particular host to a particular destination port. This is a typical behavior of a compromised host looking to exploit hosts with a specififc vulnerability.
Any ideas/comments/advice would be appreciated.