Intrusion Prevention log action "Detect Only: Reset" in Deep Security / Endpoint and Workload Security

Product / Version includes:

Trend Vision OneAll , Deep SecurityAll

Last updated: 2023/11/24

Solution ID: KA-0014428

Category: Configure

Summary

Intrusion Prevention module protects your computers from known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. When agents scan network traffic and the traffic meets a rule's match conditions, the agent handles it as a possible or confirmed attack and performs actions such as completely dropping the packets or resetting the connection, depending on the rule.

Intrusion Prevention works in either Detect or Prevent mode. To avoid false positive or accidental blocking of normal traffic, it is recommended to use a Detect Mode First upon application of the rule.

Detect: Intrusion Prevention uses rules to detect matching traffic and generate events but does not block traffic. Detect mode is useful to test that Intrusion Prevention rules do not interfere with legitimate traffic.
Prevent: Intrusion Prevention uses rules to detect matching traffic, generate events, and block traffic to prevent attacks.

When you see an action on the logs that says, "Detect Only: Reset", it means that the Intrusion Prevention System (IPS) mode is in Detect only and the supposed action is to reset the traffic. Once you have confirmed that the traffic is not false positive, you can use Prevent mode to enforce the rules.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Intrusion Prevention log action "Detect Only: Reset" in Deep Security / Endpoint and Workload Security

Intrusion Prevention log action "Detect Only: Reset" in Deep Security / Endpoint and Workload Security

Product / Version includes:

Summary