I have about 20 of the same rule being blocked. My question is why were those two 'allowed'? MX over worked at that instant and let it through? Just curious more than anything - we're just getting probed and I'm blocking IPs as they come in. I do still wish we could setup a rule to shun IPs doing this kind of stuff.
I've seen this before when the attack is against a port/user that did not currently have a mapping through the MX.
I'd check and see if the details of the event show a PC or port that would have been active at the time, if there was no active flow, then the "attack" would have been denied at the firewall and recorded by IDS/IPS but it would have never been blocked at that level, as the firewall would've denied it first.
Not sure if that's happening here - there is a port/machine active. It's the same destination as the other events that were blocked. It's still happening today - 9 'blocked' with that same signature to the same destination, 1 'allowed' right in the middle of it.
Are the alerts in question being thrown by traffic directed to the MX's WAN/Public IP? If so, you're going to see "Allowed" as a decision, because the IDS sees and processes packets before the inbound firewall does.
If there are no port forwards, or other static NAT rules in place that permit that traffic, the IDS will alert that it's seen a payload matching a signature, and start waiting for additional traffic to drop. If no more comes - in this case, because the packet in question never gets a response because the inbound firewall dropped it - the IDS effectively cannot block any further traffic, so it notes it as Allowed.