Hello.
I'm using ASG220 for a few days. It works to protect only two www servers. I placed servers in DMZ, on ASG220 I have configured interfaces, NAT, and IPS.
If I try test IPS by:
curl -v -s 'http://my-domain.com/rss.php?pathToFiles=https'
I can see it at Logging & Reporting -> Network Security -> Daily -> Intrusion Prevention statistics (drop events on graph).
There is information about attack at Logging & Reporting -> Network Security -> IPS (my IP, packets, dest. hosts, etc. too.
Unfortunately every time I can see in my www server's varnishncsa.log:
my-domain.com xx.attacker's-ip-xx.xx - - [01/Aug/2012:20:27:34 +0200] "GET /rss.php?pathToFiles=https HTTP/1.1" 200 130458 "-" "curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6" hit
Why? IPS seems to be working but not blocking attack. Why can I see it in my www server's logs?!
Can You help me?
Thank You in advance.
Radoslaw Lidak
I'm using ASG220 for a few days. It works to protect only two www servers. I placed servers in DMZ, on ASG220 I have configured interfaces, NAT, and IPS.
If I try test IPS by:
curl -v -s 'http://my-domain.com/rss.php?pathToFiles=https'
I can see it at Logging & Reporting -> Network Security -> Daily -> Intrusion Prevention statistics (drop events on graph).
There is information about attack at Logging & Reporting -> Network Security -> IPS (my IP, packets, dest. hosts, etc. too.
Unfortunately every time I can see in my www server's varnishncsa.log:
my-domain.com xx.attacker's-ip-xx.xx - - [01/Aug/2012:20:27:34 +0200] "GET /rss.php?pathToFiles=https HTTP/1.1" 200 130458 "-" "curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6" hit
Why? IPS seems to be working but not blocking attack. Why can I see it in my www server's logs?!
Can You help me?
Thank You in advance.
Radoslaw Lidak