I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
Monitor setup is like this
monitor session 10 source interface Gi1/2
monitor session 10 source interface Gi7/1
monitor session 10 filter vlan 22 - 23 , 208
monitor session 10 destination intrusion-detection-module 5 data-port 1
where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?