IDS intrusion alerts from blocked IP

**afuchs** · 11-16-2011, 10:58 AM

I'm getting IDS intrusion alerts from an IP that I put in firewall blocked list.

Is this a normal behavior?

**AManukyan** · 11-17-2011, 01:42 AM

Hello!
By default any new created rules(Block IP List,...) are disabled for safety reasons. Enable firewall and this rule.

**afuchs** · 11-17-2011, 01:07 PM

Firewall and block IP rule are both enabled.

I'm running Q2x v.5.2.48
I have probably over 100 blocked IPs in total including individual filters (blocked by SIP UA) and in manually maintained blocked IP group.

I'm getting IDS intrusion alerts from an IP that is in enabled firewall block rule.

Is this a normal behavior?

**AManukyan** · 11-18-2011, 06:52 AM

Hello!
Thank you for your good question.
The problem is that IDS chain is located higher than Blocked IP List in the IP Tables of Quadro.
So, the incoming packets(attacks) do not reach the Blocked IP List rule.
From user side this maybe not so expected behaviour, but this is the work of Quadro's IP Tables. Regardless of which rule blocks packets from unwanted sources you can be unworried about your Quadro security.
Regards,
Aram

**afuchs** · 11-18-2011, 12:10 PM

Thanks for explaining IP table priorities.

It would be good if Alert check block table before it sends a false alarm.

Thread: IDS intrusion alerts from blocked IP

Thread Tools

Display

IDS intrusion alerts from blocked IP

Thread Information

Users Browsing this Thread

Similar Threads

Intrusion alert on FXO Gateway

some internet sites seem blocked

Quadro2x remote extension with port 5060 blocked?

Caller ID Blocked calls Drop on Hold

Blocked UDP

Posting Permissions