target address 0.0.0.0

Unanswered Question
Jun 26th, 2007

I'm running my IDSM in promiscuous mode and creating event action filters to filter benign events. I'm seeing quite a few events (several different signatures) with target ip addr of 0.0.0.0. An example is:

signature: description=TCP Drop - RST or SYN in Window id=1330

target: addr: 0.0.0.0 locality=OUT port: 0

Can anyone tell me the meaning of this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
attmidsteam Tue, 06/26/2007 - 11:36

0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a count of how often the source address triggered an event. Since the target could be different in the summary, it display it as 0.0.0.0.

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary intervals).

Hope this helps.

Actions

This Discussion