I have tried search for an answer but was unable to find the correct one. I have a scanner at the network, I have created a routing rule to bypass CRE for the events from the scanner address, but the hosts are reporting the scans (password probes) but in the offense the source and destination IP is the same (the host IP) . The host are Linux hosts, I guess as they are feeding in the logs into the engine the CRE is recognizing the events as attack an creates an offense alert. There is a lot scanning going on so it is difficult to deal with the amount.
Please give me advise how to get rid off the alerts.
Thank you very much in advance!