1 Reply Latest reply: Oct 9, 2013 10:09 AM by Kary Tankink RSS

    HIPS Activity Log


      I'm creating some HIPS rules based on the activity log, but the log is confusing to me. For example here is an entry


      Blocked Incoming TCP - Source (3269) Destination: (53065)


      The machine that this entry came from is (the source). The way i'm reading that entry:


      HIPS blocked an Incoming TCP packing froming from (the machine i'm on) and going to the only other thing that i can think of is the request initiated from so HIPS blocked the packet from going out, but why wouldnt it say "blocked outgoing tcp.."

        • 1. Re: HIPS Activity Log
          Kary Tankink

          You are reading the log correctly (for Incoming traffic, the Source IP is usually the Remote IP address; Destintation is usually the local IP address or broadcast/multicast address).


          In this case, it appears the Source is trying to initate a new connection into  It's also possible that if the client did send this as an outgoing packet initially (which was allowed), the connection (in the state table) was closed by the time the response came back, hence HIPS will see it as a new (blocked) Inbound connection.