I've been living with MARS for almost a year now and it's still bugging me about the correlation, and I can't seem to get to the bottom of it.
My expectation is that a rule should fire whan a security incident occurs.
My observation of MARS is one rules fires no matter where or how many distinct incidents happen in the given time period (30 mins)
These are then split within the rule by instance 1,2,3 etc.
So take "System Rule : Server Attack: Misc - Attempt"
The rules fires and shows three instances.
Instances 1 and 2 contains the same source ip address.
Instance 3 is on a completely unrelated network
I can see from the rule definition that there are lots of "any" clauses that have caused this scenario, but my issue it that I want a rule to fire per incident not collection of incidents.
So in the above example I would expect one rule to fire for instances 1 and 2 and a separate rule to fire for instance 3.
Am I crazy for wanting this funcationality?
As an incident handler I want to know about incident, not randomn unrelated things on the network.
Why do a lot of the rules contains so many "any" clauses of source and destination ip's?
Any help would be gratefully received before I begin to re-write the entire rulebase into something sensible.