At work we're in the process of implementing a SIEM (Security Information Event Management) system. I'll leave the vendor nameless for the moment but they have a reputation of making most everything harder than it needs to be. Until that time all logs have to be reviewed manually and obviously that means that they are not reviewed in real time. I have others that monitor most of the logs but I monitor our IPS logs from the UTM device. Usually I review them each morning when I come in but last week I didn't get a change to so yesterday I was playing catchup.
As I reviewed them I noticed something new. There were lots of entries where XSS had been stopped. At first I was really worried thinking that if there were that many attempts then that must mean that there was a vulnerability that someone found and now they were trying to exploit it. Of course I had no real way of knowing if they had been successful or not. At least not w/o more research. As I looked into it more I noticed that it only happened on one day and that it was only for a short period of time. Then I started to do a whois lookup on the IP address and discovered that it was me. I had been doing some testing on a new feature of our web site and part of that was for XSS vulnerabilities.
It's good to know that the IPS caught this and stopped it before it got the the server itself. That makes me feel a little better but I sure will be glad when the SIEM implementation is complete so I can see these things in real time and have a better grasp on what is going on.