We have an IPS 4235 system with IPS-K9-5.1-8-E3 Engine and sig file IPS-sig-s368-reg-E3 in fron of our Firewall. We also (unfortunately) have the w32.conficker worm which is causing a DDOS and flooding the network with TCP 445 traffic. We are trying to set up the IPS to block this traffic before it hits our Firewall so that we can restore external WAN links.
The IPS system sucessfully detects this 445 traffic as signature ID 1302 and fills the event log, but even though we have enabled "deny connection inline" in the "signature configuration" - it still does not seem to block the 445 traffic. Has anyone seen this before, and could they advise us on how to effectively block this traffic?