net sweep echo with destination of 0.0.0.0

Unanswered Question
Apr 2nd, 2002
User Badges:

We have several sensors at the 3.0(5)S17 level that are reporting net sweep echo (2100) events with a source and/or destination IP of 0.0.0.0. How is this possible? Is this a bug?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jakasper Tue, 04/02/2002 - 12:43
User Badges:

This is not a bug. It is the result of a summary alarm.

Summary alarms on sweeps have targeted multiple victim addresses and there is only one slot for an address in the alarm record, so we chose to zero it out before the alarm is sent.


You can see the summary details (counts) in the data field of the alarm.


You can turn off summary alarms by adjusting the following parameters for the signature 2100:


AlarmThrottle FireAll

ChokeThreshold ANY



Please let us know if this helps,

-JK


dmarchelle Thu, 04/04/2002 - 05:47
User Badges:

How do I set ChokeThreshold ANY? nrConfigure does not seem to want to accept a non-numeric value.

astuckey Mon, 04/08/2002 - 12:40
User Badges:

Instead of just using zero, would it be possible to give a class A, B, or C dot-zero address which encompasses the destinations seen so far? 0.0.0.0 would still be the fallback for a multiple-class-A sweep, I would expect.


This would have immediate application in solving some of the filtering problems. IN and OUT are useless filter modes when 0.0.0.0 is the only thing reported.

dsimonis Mon, 05/06/2002 - 06:59
User Badges:

This brings up a question for me. Assuming that I have not turned off summary addresses, and I have alerts with 0.0.0.0 as the source AND destination, how in the devil can I filter these?

Actions

This Discussion