Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
1
Replies

MARS monitoring

kope
Level 1
Level 1

‎01-11-2007 07:03 PM - edited ‎03-11-2019 02:18 AM

i have a MARS device here and is collecting and analyse the alerts from the IPS module on an ASA. It average about 1000 alerts per day.

Is there an effective way to look at the alerts? Of course most of them are false-positive. My goal is trying to look through the alerts and apply to a drop rule if deem false-positive. Is this possible?

I was just trying to anlalyse one single alert, but i find i have no clue what is going on...i find typically many rules trigger one incident and create an event...

The IDS/IPS with Event Viewer is so much easy to manage compare with MARS.

does anyone out there has any suggestion on handling the alerts on MARS?

Thanks.

Labels:
0 Helpful
1 Reply 1

jim
Level 1
Level 1

‎01-15-2007 04:11 AM

Im not sure what your asking here. There is a whole tab dedicated to false positive events and drop rules to go with them. You can also edit the signatures on the IDS to tune it as well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card