I'm creating some HIPS rules based on the activity log, but the log is confusing to me. For example here is an entry
Blocked Incoming TCP - Source 10.0.1.10: (3269) Destination: 10.0.12.3 (53065)
The machine that this entry came from is 10.0.1.10 (the source). The way i'm reading that entry:
HIPS blocked an Incoming TCP packing froming from 10.0.1.10 (the machine i'm on) and going to 10.0.12.3. the only other thing that i can think of is the request initiated from 10.0.12.3 so HIPS blocked the packet from going out, but why wouldnt it say "blocked outgoing tcp.."
You are reading the log correctly (for Incoming traffic, the Source IP is usually the Remote IP address; Destintation is usually the local IP address or broadcast/multicast address).
In this case, it appears the Source 10.0.1.10 is trying to initate a new connection into 10.0.12.3. It's also possible that if the 10.0.12.3 client did send this as an outgoing packet initially (which was allowed), the connection (in the state table) was closed by the time the response came back, hence HIPS will see it as a new (blocked) Inbound connection.