I noticed this morning that a custom signature I created triggered and an action that I didn't assign to it occured. I set the severity to medium and the actions of the signature to alarm and deny packet inline but "denied flow" also shows as an action taken in the alert message. I have two event action overrides, but they are set to add produce alert (medium) and produce alert and deny packet inline (high). I tried rebooting the sensor and then triggered the alert and it did the same thing.
It's not a major issue, but I do find it kind of odd. Any ideas?
The IPS is an ASA-SSM-20 running 7.0(4)E4.
The action taken by the sensor for a TCP-based signature with 'deny packet inline' action will be "upgraded" automatically to 'deny connection inline'. This is by design of the software.