cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
4
Replies

net sweep echo with destination of 0.0.0.0

dmarchelle
Level 1
Level 1

We have several sensors at the 3.0(5)S17 level that are reporting net sweep echo (2100) events with a source and/or destination IP of 0.0.0.0. How is this possible? Is this a bug?

4 Replies 4

jakasper
Level 1
Level 1

This is not a bug. It is the result of a summary alarm.

Summary alarms on sweeps have targeted multiple victim addresses and there is only one slot for an address in the alarm record, so we chose to zero it out before the alarm is sent.

You can see the summary details (counts) in the data field of the alarm.

You can turn off summary alarms by adjusting the following parameters for the signature 2100:

AlarmThrottle FireAll

ChokeThreshold ANY

Please let us know if this helps,

-JK

How do I set ChokeThreshold ANY? nrConfigure does not seem to want to accept a non-numeric value.

Instead of just using zero, would it be possible to give a class A, B, or C dot-zero address which encompasses the destinations seen so far? 0.0.0.0 would still be the fallback for a multiple-class-A sweep, I would expect.

This would have immediate application in solving some of the filtering problems. IN and OUT are useless filter modes when 0.0.0.0 is the only thing reported.

This brings up a question for me. Assuming that I have not turned off summary addresses, and I have alerts with 0.0.0.0 as the source AND destination, how in the devil can I filter these?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: