i have a MARS device here and is collecting and analyse the alerts from the IPS module on an ASA. It average about 1000 alerts per day.
Is there an effective way to look at the alerts? Of course most of them are false-positive. My goal is trying to look through the alerts and apply to a drop rule if deem false-positive. Is this possible?
I was just trying to anlalyse one single alert, but i find i have no clue what is going on...i find typically many rules trigger one incident and create an event...
The IDS/IPS with Event Viewer is so much easy to manage compare with MARS.
does anyone out there has any suggestion on handling the alerts on MARS?