Force MARS to still alert on System False Positives

Unanswered Question

Our MARS 6.0.3 box has developed a bad habit of not alerting on certain signatures that it determines as being false positives. Mostly these are P2P rules in which the traffic is indeed blocked by the IPS devices. We still need to be alerted by this at the time of the event so that we can follow up on the incident. When we were on 4.X, we merrily received alerts when someone opened up a BitTorrent session. Now, for the most part, we do not receive alerts on these incidents and the record of them occurring is banished to the system determined false positive page. Any idea on how to get these alerting again, or to alert on when the MARS box determines an event to be a false positive?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion