Sig SYN Flood DOS id="6009" dest address 0.0.0.0

Answered Question
Jul 6th, 2009

Hi, All!

I receive sig 6009 with destination address 0.0.0.0:

evIdsAlert: eventId="1244180117471597849" severity="medium" vendor="Cisco"

originator:

hostId: IDS

appName: sensorApp

appInstanceId: 413

time: Jul 6 2009 14:18:14 EEST (1246879094502611000) offset="180" timeZone="UTC"

signature: created="20060220" type="anomaly" version="S214" description="SYN Flood DOS" id="6009"

subsigId: 0

sigDetails: SYN Flood DOS

marsCategory: DoS/Host

marsCategory: DoS/Network/TCP

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 192.168.155.72 locality="OUT"

port: 0

target:

addr: 0.0.0.0 locality="OUT"

port: 0

os: idSource="unknown" relevance="unknown" type="unknown"

summary: 3 final="true" initialAlert="1244180117471597835" summaryType="Regular"

alertDetails: Regular Summary: 3 events this interval ;

riskRatingValue: 63 targetValueRating="medium"

threatRatingValue: 63

interface: fe0_1

protocol: tcp

I cannot get at the meaning - address 0.0.0.0?

It`s bug?

I have this problem too.
0 votes
Correct Answer by rhermes about 7 years 5 months ago

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Mon, 07/06/2009 - 08:08

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

Actions

This Discussion