I have an ASA with the SSM IPS module in it. I must be doing something wrong because all of my events are showing my internal addresses as attackers and the external addresses as the victims. We do have citrix servers that we use and so I am getting a lot of tcp syn scans coming from those boxes (which makes sense). I guess my question is there something like the HOME network on snort where you can essentially say ignore my internal addresses as attackers? I know that is a little extreme in configuration but I just need to make sure I haven't misconfigured something here. Any help would be greatly appreciated.