The Events that are listed are they issues that have been blocked? I have the IDS/IPS turned on.
HIGH IPS: ET INFO External IP Lookup (avast .com)TCP
They should be if the Block Level setting has been enabled. By default only the Notification Level setting is turned on when activating IDS/IPS, so it should be notifying you of High severity events but not blocking them.
So Blocking was turned on and set to medium. Does setting the Notification Level and Blocking Level to High mean that it will Block and/or Notify everything regarded as High and lower?
If both are set to high then only high severity events will be blocked and you will get notified for them. I have mine set to high notification, low block so the way I understand it is I will only be notified for high severity events but it will still block low, medium, and high severity events.
1 Like
This is my understanding as well 
1 Like
It’s choice between security vs convenience, too many event logs, you will get drown by the amount of data, also need proper way to archive it before the system shutdown due to low disk space or gets overwritten if it’s set to circular. Besides, you probably need to be security trained in order to understand the alerts and deciding what to do with it, otherwise it became too noisy.
We always have this issue in office, blocking low severity may not be ideal because some legitimate site will be blocked or partially blocked if they are poorly coded, denying user access, hence our choice was blocking high severity and set the notification to low, all event logs will be send to our security management vendor’s SIEM (Splunk), they will then co-relate and only activate us for genuine malicious event for further action.
If for home use, I will set to block high-alert and high notification, this is already one step better than none and it is less tiring to manage.
2 Likes