I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?