There are two pieces of the puzzle here. First 'detecting' L7 attacks and the second is 'mitigating' them.
MARS is not a device meant to 'detect' attacks, this is done by the reporting device (IPS, Firewall with Deep Packet Inspection etc). Once these devices report data (events) into MARS, MARS will parse/process these events into meaningful 'incidents'.
These 'incidents' are generated based on MARS rules. You can configure 'mitigation' (Layer 2) for these incidents/attacks using MARS.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...