@Andreas_Herz This is the log from suricata of the blocking events:
May 26 13:51:15 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:15.442623+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.55.100","src_port":38969,"dest_ip":"205.160.50.100","dest_port":80,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":331,"tos":0,"ttl":126,"ipid":39593,"tcpseq":835071409,"tcpack":843165753,"tcpwin":32768,"syn":false,"ack":true,"psh":true,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2021068,"rev":4,"signature":"INFO Dotted Quad Host M2 (noalert)","category":"Potentially Bad Traffic","severity":2}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2034578,"rev":1,"signature":"EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"Attempted User Privilege Gain","severity":1,"metadata":{"updated_at":["2021_12_03"],"tag":["Exploit"],"signature_severity":["Major"],"performance_impact":["Significant"],"former_category":["EXPLOIT"],"deployment":["Perimeter"],"cve":["CVE_2019_0752"],"created_at":["2021_12_03"],"attack_target":["Client_Endpoint"]}},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":90000009,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"alert","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"http":{"hostname":"205.160.50.100","url":"\/tmp\/poc.html","http_user_agent":"Mozilla\/5.0 (Windows NT 6.1; Trident\/7.0; rv:11.0) like Gecko","http_content_type":"text\/html","http_method":"GET","protocol":"HTTP\/1.1","status":200,"length":321},"app_proto":"http","flow":{"pkts_toserver":4,"pkts_toclient":3,"bytes_toserver":746,"bytes_toclient":763,"start":"2022-05-26T13:51:13.402621+0000"},"tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":90000012,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3}}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.480395+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.50.100","src_port":80,"dest_ip":"205.160.55.100","dest_port":38969,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":40,"tos":0,"ttl":125,"ipid":39595,"tcpseq":843166392,"tcpack":835071700,"tcpwin":32768,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":90000012,"rev":0,"signature":"IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)","category":"","severity":3},"tx_id":0}
May 26 13:51:17 gsa-63391bd2-3538000001 suricata[1810]: {"timestamp":"2022-05-26T13:51:17.484260+0000","flow_id":324203556447421,"event_type":"drop","src_ip":"205.160.55.100","src_port":38969,"dest_ip":"205.160.50.100","dest_port":80,"proto":"TCP","metadata":{"flowbits":["http.dottedquadhost"]},"drop":{"len":40,"tos":0,"ttl":126,"ipid":39595,"tcpseq":835071700,"tcpack":843166392,"tcpwin":32768,"syn":false,"ack":true,"psh":false,"rst":true,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0}}
As you can tell the traffic is indicated as blocked by multiple signatures but is never actoually blocked.