Network 0.0.0.0 in IPS alerts

Unanswered Question
Feb 20th, 2009
User Badges:

Good afternoon:


I have a Cisco IPS 4240 sensor. This appliance is generating alerts with the network 0.0.0.0 as attacker and victim.


Example:

Severity informational

Application Name sensorApp

Event Time 02/20/2009 12:26:19

Sensor Local Time 01/20/2009 12:26:19

Signature ID 1330

Signature Sub-ID 16

Signature Name TCP Drop - PAWS check failed

Signature Version S248

Signature Details TCP Packet segment failed PAWS check

Attacker IP 0.0.0.0

Target IP 0.0.0.0

Target Port 0

Target Locality OUT



Someone can tell me. What can say this.


Thank's in advanced.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Fri, 02/20/2009 - 13:07
User Badges:
  • Blue, 1500 points or more

This generally happens when in Summary Mode the alerts

are coming from a large number of Attacker or are directed to large number of Victim IPs.


So instead of trying to show perhaps thousands of IPs in the attacker and/or victim address fields, the field will be populated with only 0.0.0.0.


If you want to see an alert for each time it is triggered, you

can reconfigure the signature and set it to FireAll mode with no Summary

Threshold.



Syed

Actions

This Discussion