Does anyone know if MARS can filter alerts based on data in the trigger packet of an IPS alert? We have a customer that is getting between 50 and 150 false positve Union Select SQL Injection alerts each day because they sell Sealy Union Select mattresses and each time there is a search on their site for this mattress this rule triggers. We don't want to turn off that signature alltogether because we have seen a handful of legitimate alerts from it as well over the last couple of weeks so we still want to know about them.
If we could create a filter in MARS to drop the alert if it sees Sealy or Mattress in the trigger packet of the IPS alert that would cut an enourmous of wasted time out of the daily review of these alerts. Anyone have any ideas?