Why are two events generated for the same signature (one as Detected and other as Blocked)?

Technote (FAQ)


Question

Why do you see two events generated for the same signature (one as Detected and other as Blocked)?

Answer

This is normal behavior and is due to the way the Protocol Analysis Module (PAM) event coalescer works.
When a signature fires, PAM will include the details of the traffic that caused it to fire in the event data. Certain events, such as scans and sweeps, may delay the collection of this data due to the nature of the traffic. If PAM is still in the process of collecting all of the event details, the event will show as having a "Detected" status. Once the collection of information is complete, the event will show as having a "Blocked" status.

In most cases, the two events are combined prior to being sent to SiteProtector. However, in situations where there was a delay or timeout while waiting for the rest of the information, users may see both the Detected and Blocked events in the SiteProtector Console. This is not indicative of a problem.



If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.


Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Network Intrusion Prevention System Not Applicable Firmware 1.8, 2.5, 3.3, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.1
Security Proventia Virtualized Network Security Platform Not Applicable Firmware 3.3, 4.1, 4.3, 4.4, 4.5, 4.6

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

1.8, 2.5, 3.3, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.1

Operating system(s):

Firmware

Reference #:

1515937

Modified date:

2013-09-30

Translate my page

Machine Translation

Content navigation