How to avoid duplicate IDS alerts?
Scenario - When we enable all the signatures onn our Cisco IDS's the IDS generates a lot of duplicate alerts. To wit: System with source ip x.x.x.x attacks y.y.y.y - one alert.
System y.y.y.y responds with an established connection using same port and envision generates another alert because NIC alert ID has been matched.
If we try suppression of the alert based on Event ID, source and destination, the scenario described occurs. How can we record the alert without the duplicate 'response' from the percieved victim machine?