RSA Admin

How to avoid duplicate IDS alerts?

Discussion created by RSA Admin Employee on Sep 17, 2010

Scenario - When  we enable all the signatures onn our Cisco IDS's the IDS generates a lot of duplicate alerts. To wit: System with source ip x.x.x.x attacks y.y.y.y - one alert.

System y.y.y.y responds with an established connection using same port and envision generates another alert because NIC alert ID has been matched.


If we try suppression of the alert based on Event ID, source and destination, the scenario described occurs. How can we record the alert without the duplicate 'response' from the percieved victim machine?