Question & Answer
Question
Why do you see two events generated for the same signature with one as Detected and other as Blocked on IBM Security sensors?
Answer
This is normal behavior and is due to the way the Protocol Analysis Module (PAM) event coalescer works.
When a signature fires, PAM will include the details of the traffic that caused it to fire in the event data. Certain events, such as scans and sweeps, may delay the collection of this data due to the nature of the traffic. If PAM is still in the process of collecting all of the event details, the event will show as having a "Detected" status. Once the collection of information is complete, the event will show as having a "Blocked" status.
In most cases, the two events are combined before being sent to SiteProtector. However, in situations where there was a delay or timeout while waiting for the rest of the information, users might see both the Detected and Blocked events in the SiteProtector Console. This is not indicative of a problem.
When a signature fires, PAM will include the details of the traffic that caused it to fire in the event data. Certain events, such as scans and sweeps, may delay the collection of this data due to the nature of the traffic. If PAM is still in the process of collecting all of the event details, the event will show as having a "Detected" status. Once the collection of information is complete, the event will show as having a "Blocked" status.
In most cases, the two events are combined before being sent to SiteProtector. However, in situations where there was a delay or timeout while waiting for the rest of the information, users might see both the Detected and Blocked events in the SiteProtector Console. This is not indicative of a problem.
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SS9SBT","label":"Proventia Network Intrusion Prevention System"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Protocol Analysis Module (PAM)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
23 January 2021
UID
swg21515937