target address

Unanswered Question
Jun 26th, 2007
User Badges:

I'm running my IDSM in promiscuous mode and creating event action filters to filter benign events. I'm seeing quite a few events (several different signatures) with target ip addr of An example is:

signature: description=TCP Drop - RST or SYN in Window id=1330

target: addr: locality=OUT port: 0

Can anyone tell me the meaning of this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
attmidsteam Tue, 06/26/2007 - 11:36
User Badges:
  • Silver, 250 points or more as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a count of how often the source address triggered an event. Since the target could be different in the summary, it display it as

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent as a target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary intervals).

Hope this helps.


This Discussion