We have several incidents where the IPS log says it has dropped traffic, but we see the same traffic on our webservers from the same source and at the same time..
2018:12:11-14:32:26 fw-1 snort[27861]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SQL union select - possible sql injection attempt - GET parameter" group="234" srcip="x.x.x.x dstip="y.y.y.y" proto="6" srcport="55855" dstport="80" sid="13990" class="Misc Attack" priority="2" generator="1" msgid="0"
What can be the possible cause if this? Are the some build in rules that are evaluated before the IPS rules? But still, why does it say drop and doesnt do it?
Aksel
This thread was automatically locked due to age.