I find so many events listing on the sensor that report numerous events which list the source and/or destination as 0.0.0.0. In this event, the âattackerâ is a known and permitted host. However, my ACLs do not permit it âanyâ. I have no idea why so many events have the attacker or the victim as 0.0.0.0.
This is just too odd. I do not believe that all of the ISPs in the path are forwarding 0.0.0.0 to us. I also have no reason to believe the 3-4 ISPs between this âattackerâ and us have coordinated for send 0.0.0.0 to us.
evIdsAlert: eventId=1214480258083636677 vendor=Cisco severity=informational
time: September 2, 2008 2:11:37 PM UTC offset=-240 timeZone=GMT-05:00
signature: description=Data Base TNS Connection id=7000 version=S262
sigDetails: Connection Detected
addr: 69.1.x.y [MODIFIED] locality=OUT
addr: 0.0.0.0 locality=OUT
os: idSource=unknown type=unknown relevance=unknown
summary: 4 final=true initialAlert=0 summaryType=Regular
alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 4 events this interval ;
riskRatingValue: 13 targetValueRating=medium
interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1