Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can MARS filter based on something in the IPS trigger packet?


Does anyone know if MARS can filter alerts based on data in the trigger packet of an IPS alert?  We have a customer that is getting between 50 and 150 false positve Union Select SQL Injection alerts each day because they sell Sealy Union Select mattresses and each time there is a search on their site for this mattress this rule triggers.  We don't want to turn off that signature alltogether because we have seen a handful of legitimate alerts from it as well over the last couple of weeks so we still want to know about them.

If we could create a filter in MARS to drop the alert if it sees Sealy or Mattress in the trigger packet of the IPS alert that would cut an enourmous of wasted time out of the daily review of these alerts.  Anyone have any ideas?

Cisco Employee

Re: Can MARS filter based on something in the IPS trigger packet

Yes, you can configure "drop rules" to drop false positive from IPS events.

Here is the URL for your reference:

Configuration guide for drop rules:

Hope that helps.

New Member

Re: Can MARS filter based on something in the IPS trigger packet

Thanks for the reply halijenn.

Unless I missed something I don't see anywhere in those two links where a drop can be configured based on text in the trigger packet of the IPS alert.  I know that drops can be configured for fields like source/destination IP/Port, and/or signature number, and such but I was wondering if the drop could be configured for the words that would show up in the trigger packet associated with the IPS alert.

CreatePlease to create content