This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS log says action=drop but not dropping traffic

We have several incidents where the IPS log says it has dropped traffic, but we see the same traffic on our webservers from the same source and at the same time.. 

2018:12:11-14:32:26 fw-1 snort[27861]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="SQL union select - possible sql injection attempt - GET parameter" group="234" srcip="x.x.x.x dstip="y.y.y.y" proto="6" srcport="55855" dstport="80" sid="13990" class="Misc Attack" priority="2" generator="1" msgid="0"

What can be the possible cause if this? Are the some build in rules that are evaluated before the IPS rules? But still, why does it say drop and doesnt do it?

 

Aksel

 



This thread was automatically locked due to age.
Parents
  • A connection would have to be established in order for Snort to make a detection, hence the reason why you see traffic from this source host.  Think of it this way.  If I'm going to do some sort of SQL injection, I would first connect to the device, look around a bit, find a target and then launch the attack.  Snort will drop the packets when it detects the attack, obviously it's not possible for snort to detect an attack without analyzing traffic on an already established connection.  

    Tim

Reply
  • A connection would have to be established in order for Snort to make a detection, hence the reason why you see traffic from this source host.  Think of it this way.  If I'm going to do some sort of SQL injection, I would first connect to the device, look around a bit, find a target and then launch the attack.  Snort will drop the packets when it detects the attack, obviously it's not possible for snort to detect an attack without analyzing traffic on an already established connection.  

    Tim

Children