I recently noticed some activity flagged as attacks on the XG Dashboard. Clicking on it indicated that the packets were allowed. I looked through the IPS policies to find the applicable rule, which was this one: Apple QuickTime traf Atom Out-Of-Bounds Access, SID 1150827010. I noticed that the default rule was set to allow rather than drop packets, and was curious why that was the case. This seems to be the case for a number of rules in the various policies. Is it because the vulnerabilities in question are not necessarily that risky, or that there is a high likelihood of false positives?
I suppose the question I'm asking is what the proper process should be when there are hits on default rules that allow packets to go through.
This thread was automatically locked due to age.
