In summarized signature , do we get both source and destination (attacker and victim) ip as 0.0.0.0?

i do not think so,

In most cases victim ip will be marked as 0.0.0.0 means there are multiple attacks.

And also we do have this issue, but after applying ip-verify unicast reverse-path (some gudelines specified in NSA router security guide) on router interface i didnt see any events with both attacker and victim ip displayed as 0.0.0.0.

But i still getting victim ip as 0.0.0.0 for some attacker ips and in details it is mentioned as a summary event.

There are 2 levels of summarization.

There is the first level of summarization which will usually summarize by either Attacker IP or Victim IP. (NOTE: Other methods of Summarization also exist, like by Attacker IP and Attacker Port, but these other methods are rarely used)

Each signature is specifically configured to summarized using a specific method as is designated by the "Summary Key". Select the signature in IDM (or IME) and select Edit. In the Edit window that comes up you can find the Summary Key configuration and see what the signature has been set to Summarize on.

If is set to Summarize by Attacker IP, then the Attacker IP will be seen, but the Victim IP will be set to 0.0.0.0.

If the Summary Key is Victim IP, then the Attacker IP will be 0.0.0.0, and the Victim IP will be seen in the alert.

NOTE: Even in Summary Mode, the very first alert of a Summary Interval is generally created with both IPs filled in.

Many signatures are configured for FireAll as the Summary Mode, but are configured to upgrade into Summary Mode if too many alerts are seen.

Other signatures are known to fire often when seen, and are configured to start out in Summary Mode.

The next level of Summarization is Global Summary.

Very few alerts are configured to start off in Global Summary mode.

Instead most alerts are configured to automatically upgrade from Summary Mode into Global Summary Mode when even too many Summary alerts are being generated.

In Global Summary Mode both the Attacker IP and Victim IP will be set to 0.0.0.0

So when you see 0.0.0.0 in an alert, then check the alert details.

It is almost always a Summary Alert when either the Attacker IP or Victim IP are 0.0.0.0.

And is almost always a Global Summary Alert when both the Attacker IP and Victim IP are 0.0.0.0.

As for the action field.

When Summary Alerts, or Global Summary Alerts are generated the action fields are always blank.

The sensor does not track to see what actions took place on every individual alert being counted in the Summary Alert. The actions took place on the individual alerts, and not on the Summary alert so no actions are marked in the Summary Alert.

In order to track what actions are being done you would need to ensure the sensor is generating the individual alerts.

For those signatures that are configured to start out in Summary Mode, you may want to recnfigure them to start out in FireAll mode, and then have them upgrade to Summary Mode.

This way you can see the actions on individual alerts before too many happen and it upgrades to Summary Mode.

NOTE: There is no option to get the actions shown in Summary Alerts.