Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
563
Views
10
Helpful
1
Replies

target address 0.0.0.0

t.clark
Level 1
Level 1

‎06-26-2007 06:03 AM - edited ‎03-10-2019 03:40 AM

I'm running my IDSM in promiscuous mode and creating event action filters to filter benign events. I'm seeing quite a few events (several different signatures) with target ip addr of 0.0.0.0. An example is:

signature: description=TCP Drop - RST or SYN in Window id=1330

target: addr: 0.0.0.0 locality=OUT port: 0

Can anyone tell me the meaning of this?

Labels:
0 Helpful
1 Reply 1

attmidsteam
Level 1
Level 1

‎06-26-2007 11:36 AM

0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a count of how often the source address triggered an event. Since the target could be different in the summary, it display it as 0.0.0.0.

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary intervals).

Hope this helps.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card