Advisory: Sophos Endpoint - "Your connection isn't private" We're aware of a certificate issue and are actively working to resolve. Please see: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mysterious disappearing IPS log entries. "Mirror/redirect action on"

I opened my IPS live log and there appeared a few entries. One of which said "Mirror/redirect action on"

I searched around for what this meant but found no explanation. I performed a search on my IPS logs but nothing is showing up.

I stopped and restarted the IPS and everything seems to be working fine (port scans are showing up in the logs) but I am stumped as to what this log entry means.

I am using the latest version of the UTM. Any ideas?



This thread was automatically locked due to age.
Parents
  • So I went to look at mine - and what is more concerning to me is I have 0 entries today on my IPS logs - that's like winning the lottery every day for a month.  Why would they be empty?  I've always got some type of portscan entry in there. They started 0-byte entries after I updated to 9.713.  :sigh:  Here we go...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Yes, I notice the same peculiarities too. Often I will open the log and the last entry will say ---***Snort is stopping***--- or similar. A quick port scan from Grc.com will confirm that is working and blocking port scans but there must be some issue going on, like port scans somehow causing the IPS to stop logging after receiving a few thousands of flood alerts. I can't think of any other reason. It seems to happen after receiving DDoS attacks and then the log will shot "Snort reloaded" messages.

Reply
  • Yes, I notice the same peculiarities too. Often I will open the log and the last entry will say ---***Snort is stopping***--- or similar. A quick port scan from Grc.com will confirm that is working and blocking port scans but there must be some issue going on, like port scans somehow causing the IPS to stop logging after receiving a few thousands of flood alerts. I can't think of any other reason. It seems to happen after receiving DDoS attacks and then the log will shot "Snort reloaded" messages.

Children
No Data