Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
0
Helpful
2
Replies

Sig SYN Flood DOS id="6009" dest address 0.0.0.0

Go to solution
dkuzmenkov
Level 1
Level 1

‎07-06-2009 04:17 AM - edited ‎03-10-2019 04:41 AM

Hi, All!

I receive sig 6009 with destination address 0.0.0.0:

evIdsAlert: eventId="1244180117471597849" severity="medium" vendor="Cisco"

originator:

hostId: IDS

appName: sensorApp

appInstanceId: 413

time: Jul 6 2009 14:18:14 EEST (1246879094502611000) offset="180" timeZone="UTC"

signature: created="20060220" type="anomaly" version="S214" description="SYN Flood DOS" id="6009"

subsigId: 0

sigDetails: SYN Flood DOS

marsCategory: DoS/Host

marsCategory: DoS/Network/TCP

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 192.168.155.72 locality="OUT"

port: 0

target:

addr: 0.0.0.0 locality="OUT"

port: 0

os: idSource="unknown" relevance="unknown" type="unknown"

summary: 3 final="true" initialAlert="1244180117471597835" summaryType="Regular"

alertDetails: Regular Summary: 3 events this interval ;

riskRatingValue: 63 targetValueRating="medium"

threatRatingValue: 63

interface: fe0_1

protocol: tcp

I cannot get at the meaning - address 0.0.0.0?

It`s bug?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7

‎07-06-2009 08:08 AM

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rhermes
Level 7
Level 7

‎07-06-2009 08:08 AM

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

0 Helpful

Go to solution
dkuzmenkov
Level 1
Level 1
In response to rhermes

‎07-06-2009 10:25 PM

Thank you very much for the info!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card