04-02-2002 12:05 PM - edited 03-08-2019 10:13 PM
We have several sensors at the 3.0(5)S17 level that are reporting net sweep echo (2100) events with a source and/or destination IP of 0.0.0.0. How is this possible? Is this a bug?
04-02-2002 12:43 PM
This is not a bug. It is the result of a summary alarm.
Summary alarms on sweeps have targeted multiple victim addresses and there is only one slot for an address in the alarm record, so we chose to zero it out before the alarm is sent.
You can see the summary details (counts) in the data field of the alarm.
You can turn off summary alarms by adjusting the following parameters for the signature 2100:
AlarmThrottle FireAll
ChokeThreshold ANY
Please let us know if this helps,
-JK
04-04-2002 05:47 AM
How do I set ChokeThreshold ANY? nrConfigure does not seem to want to accept a non-numeric value.
04-08-2002 12:40 PM
Instead of just using zero, would it be possible to give a class A, B, or C dot-zero address which encompasses the destinations seen so far? 0.0.0.0 would still be the fallback for a multiple-class-A sweep, I would expect.
This would have immediate application in solving some of the filtering problems. IN and OUT are useless filter modes when 0.0.0.0 is the only thing reported.
05-06-2002 06:59 AM
This brings up a question for me. Assuming that I have not turned off summary addresses, and I have alerts with 0.0.0.0 as the source AND destination, how in the devil can I filter these?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: