I opened my IPS live log and there appeared a few entries. One of which said "Mirror/redirect action on"
I searched around for what this meant but found no explanation. I performed a search on my IPS logs but nothing is showing up.
I stopped and restarted the IPS and everything seems to be working fine (port scans are showing up in the logs) but I am stumped as to what this log entry means.
I am using the latest version of the UTM. Any ideas?
So I went to look at mine - and what is more concerning to me is I have 0 entries today on my IPS logs - that's like winning the lottery every day for a month. Why would they be empty? I've always got some type of portscan entry in there. They started 0-byte entries after I updated to 9.713. :sigh: Here we go...
UTM - 9.713-19 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz 16GB Memory | 500GB SATA HDD | GB Ethernet x5
Yes, I notice the same peculiarities too. Often I will open the log and the last entry will say ---***Snort is stopping***--- or similar. A quick port scan from Grc.com will confirm that is working and blocking port scans but there must be some issue going on, like port scans somehow causing the IPS to stop logging after receiving a few thousands of flood alerts. I can't think of any other reason. It seems to happen after receiving DDoS attacks and then the log will shot "Snort reloaded" messages.