07-06-2009 04:17 AM - edited 03-10-2019 04:41 AM
Hi, All!
I receive sig 6009 with destination address 0.0.0.0:
evIdsAlert: eventId="1244180117471597849" severity="medium" vendor="Cisco"
originator:
hostId: IDS
appName: sensorApp
appInstanceId: 413
time: Jul 6 2009 14:18:14 EEST (1246879094502611000) offset="180" timeZone="UTC"
signature: created="20060220" type="anomaly" version="S214" description="SYN Flood DOS" id="6009"
subsigId: 0
sigDetails: SYN Flood DOS
marsCategory: DoS/Host
marsCategory: DoS/Network/TCP
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 192.168.155.72 locality="OUT"
port: 0
target:
addr: 0.0.0.0 locality="OUT"
port: 0
os: idSource="unknown" relevance="unknown" type="unknown"
summary: 3 final="true" initialAlert="1244180117471597835" summaryType="Regular"
alertDetails: Regular Summary: 3 events this interval ;
riskRatingValue: 63 targetValueRating="medium"
threatRatingValue: 63
interface: fe0_1
protocol: tcp
I cannot get at the meaning - address 0.0.0.0?
It`s bug?
Solved! Go to Solution.
07-06-2009 08:08 AM
No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0
This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.
07-06-2009 08:08 AM
No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0
This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.
07-06-2009 10:25 PM
Thank you very much for the info!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide