I would like to request a feature to automatically block an ip after so many IDS/IPS alerts. I recently had an incident where an ip tried various exploits against my exposed blue iris server that resulted in hundreds of emails. Any way we can just have it automatically block after so many attempts?
While we are at it can we please get the source/destination fixed? An alert that says my device is the source for an exploit attempt doesnt make any sense when its coming externally. I would expect source to be the one generating the alert, destination to be where its attempting to go.
It does blocks the exploit but not the IP attempting it. I would like to see an automatic firewall rule generated blocking the IP attempting the exploit after so many attempts.
In the events panel, there are 2 action buttons, unfortunately it lacks details on what happened if we delete or ignore that particular event. In some IPS I used in office, we can tell the router to blacklist or whitelist a particular traffic and it remember the action.
Yeah its either ignore the alert or delete the event, neither seem useful in this case.
I just dont see why we would want to allow a device attempting an exploit to sit there and continue to hammer on the network instead of just blocking it after say 2 or 3 attempts.
So far I use the delete action to housekeep the logs so that it does not fill up the storage, at the momment we do not know where the log is kept and if prunning is necessary. As for the ignore action, I only used on medium alert, and I do find less noise in my mailbox.
