We have a handful of remote sites that are on an IPSEC Site-to-Site vpn connection with our corporate office and the head end device is also our corporate firewall(ASA-5520) and has the IPS module installed in it.
MARS is configured to receive all events generated from the ASA firewall and the IPS sensors.
How can I exclude the vpn networks at the IP level from being subject to the interrogations. I've had to create several exclusions in the IPS module policy to stop the numerous alerts that get generated when typical windows domain traffic is flagged. This is typical behaviour for domain machines but its not typical for firewalls to expect to see. Everything is doing its job as expected but I need to stop all the alerts more efficiently and with a smaller configuration so that I don't have to exclude tcp ports, services, for each signature that is flagged.