07-06-2009 04:17 AM - edited 03-10-2019 04:41 AM
Hi, All!
I receive sig 6009 with destination address 0.0.0.0:
evIdsAlert: eventId="1244180117471597849" severity="medium" vendor="Cisco"
originator:
hostId: IDS
appName: sensorApp
appInstanceId: 413
time: Jul 6 2009 14:18:14 EEST (1246879094502611000) offset="180" timeZone="UTC"
signature: created="20060220" type="anomaly" version="S214" description="SYN Flood DOS" id="6009"
subsigId: 0
sigDetails: SYN Flood DOS
marsCategory: DoS/Host
marsCategory: DoS/Network/TCP
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.155.72 locality="OUT"
port: 0
target:
addr: 0.0.0.0 locality="OUT"
port: 0
os: idSource="unknown" relevance="unknown" type="unknown"
summary: 3 final="true" initialAlert="1244180117471597835" summaryType="Regular"
alertDetails: Regular Summary: 3 events this interval ;
riskRatingValue: 63 targetValueRating="medium"
threatRatingValue: 63
interface: fe0_1
protocol: tcp
I cannot get at the meaning - address 0.0.0.0?
It`s bug?
Solved! Go to Solution.
07-06-2009 08:08 AM
No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0
This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.
07-06-2009 08:08 AM
No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0
This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.
07-06-2009 10:25 PM
Thank you very much for the info!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: