You cannot do this in ether case AFAICT. What you might be able to do is configure the action for all inspection rules to send a syslog to the ip address of the MARS box. Then create a "keyword" inspection rule to specifically fire based on the severity shown in the syslog message. Here is an example of what the syslogs look like:
<34>Mon Jan 7 13:51:08 2008 %MARS-1-101: Rule 205795 (Local Administrators group - membeÂrship modified) fired and caused yellow Incident 747340504, starting from Mon Jan 7 13:50:57 2008 tÂo Mon Jan 7 13:50:57 2008
The rule name is "Local Administrators group - membership modified" and the Severity of the incident is yellow.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...