Yeah, that's a good one. No real way of doing that. You'd really need auto ack with more granular options, but presently the application doesn't support that.
If you want you could setup alert throttling to help minimize the flood of alerts. In IPS settings > Sensor Name > Advanced Scanning > Logging and Alerting enable Alert Supression... this would be across the board on all alerts though
So, for example default is 120 seconds. If you see 200 alerts in 120 seconds, list only 1 alert in the Threat Analyzer instead of all of them (but block all of them). Opening the 1 alert in the Threat analyzer shows you the count of alerts supressed in that 120 second span.
Thanks for confirming! I thought that may be the case, and I had also looked at the alert throttling. I think the key word you have used above is granular, with respect to both alert filtering and supression. Not wanting to big up other vendors (From a technical perspective I believe McAfee is still at the front, and Gartner also agree!), but from an operational perspective I dont tend to see clients getting as much out of this product range as would be possible with granular options. Cisco (although I havent worked with their 42xx for a while) have supression options for each alert, and the attack filters contain settings that let you pick exactly what you want to filter out (eg remove alert, remove log, dont block, block) etc. Would it be helpful if I raise a PER? I like the McAfee sensors, and would love to see them raise there game when it comes to assisting with day to day operations for clients.