I've revisited a previous issue: in intrusion detection, users can specify a specific IP address range to block, but the result is a warning, not a block. This allows attackers scanning for the IP address range to access it and carry out their malicious activities. I wonder how many more times this problem will recur.
A) Why does your firewall allow out -> in connections?
B) Blocking IP ranges has no reason to happen in intrusion detection, create a firewall rule
C) You created a custom rule and at action chose "Drop" but it instead "Alerts"?