One of the things we added shortly before the Vulnerability Manager Technology Preview release was the ability to track attacks that were firing previously-generated IDS/IPS or WAF rules. Right now this only works for generated Snort rules, but it should be pretty straightforward to extend to other supported IDS/IPS and WAFs.
Basically, each rule that is generated receives a unique identifier. When the rules fire the rule identifier is included in the log message. By uploading these logs to Vulnerability Manager we can parse out alerts associated with rules we generated and associate those with the original vulnerabiltity that spawned the rule.
This is handy because it provides some visibility into vulnerabilities in your applications that are actually being attacked. Based on this data you might choose to prioritize certain vulnerabilities over others for code-level remediation.
Right now you have to manually upload the log files to Vulnerability Manager. We have talked with other IDS/IPS and WAF vendors and one suggestion has been to add syslog support so that is something we are considering for the future. We could also programmatically SCP log files off of sensors with a little bit of effort. So although this is a manual process right now it should be easy to automate in the future.
dan _at_ denimgroup.com