Hi folks. I am going through a project with IDP on the SRX. While we tune the IDP, there is multiple matches on attacks when in the policy. For instance, I added some XSS attacks to a new rule with an action of drop. Some of these XSS are still bundled with other built-in attack groups that have a recommended action of notify only.
Since the entire IDP policy is evaluated, an XSS attack is logged twice - once with an action of drop and once with an action of notify. This is difficut to deal with in our SEIM tools.
Does anyone know of a way to log only the drop action? I have through about using the terminal option for a rule which would stop the rest of the policy from being evaluated, but it only seems to consider source, destination, and applciation and not attack. That would stop other legimate policies from being evaluated.
Any quick bits of knowledge would be a big help. I have a full lab I can test with.
Thanks in advance!