This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS log says action=drop but not dropping traffic

We have several incidents where the IPS log says it has dropped traffic, but we see the same traffic on our webservers from the same source and at the same time.. 

2018:12:11-14:32:26 fw-1 snort[27861]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SQL union select - possible sql injection attempt - GET parameter" group="234" srcip="x.x.x.x dstip="y.y.y.y" proto="6" srcport="55855" dstport="80" sid="13990" class="Misc Attack" priority="2" generator="1" msgid="0"

What can be the possible cause if this? Are the some build in rules that are evaluated before the IPS rules? But still, why does it say drop and doesnt do it?

 

Aksel

 



This thread was automatically locked due to age.