IPS Event Victim IP is 0.0.0.0

Document

Sun, 03/01/2015 - 21:24
Apr 30th, 2014
User Badges:
  • Silver, 250 points or more

Introduction

This document describes the issue faced by an user where he is getting an event alert from IPS "Victim IP is 0.0.0.0 

Prerequisites

  • ASA 5500 or 5500x IPS modules
  • IPS 4200, 4300 or 4500 series IPS appliances
  • NME-IPS module

Problem

User is viewing event in IPS that shows victim IP is 0.0.0.0.Some learned experts informed that this is a summarized event. But how can user get details of victim IP if he/she need to know.

Scenario 2:

User is confused about the difference between Network malware scanner and the IPS.

For example - Cisco doesn't have integrated malware scanner in the NGFW, but some vendors have. What is the purpose of having IPS and malware simultaneously? The only thing i can think about is malware scanners can fix infected files (on Iron-Port ESA for example) and IPS directly drops traffic.

Solution

What is IPS Summarization?
IPS summarization can be defines as a process which enables the user to aggregate events in a single alert. It is done because it reduces the number of alerts sent to the administrator. Every signature is made with defaults attributes which reflect a preferred, normal behavior. However, each signature has unique and special attributes which influence the process of alert handling. Default behavior of signatures can be manipulated within the limits for each engine type.

Summarization and event actions are processed after the meta engine has processed the component events. This lets the sensor watch for suspicious activity over a series of events.

Summarization modes supported:

  • Simple mode - configures a threshold number of hits for a signature that must be met before the alert is sent.
  • Advanced mode - configures a threshold number of hits per second (timed-interval count) for a signature that must be met before the alert is sent.

Summarization Options

  • fire-all - It is used to fire an alert each time the signature is triggered. If threshold is configured for summarization, alerts will be fired for every execution until summarization takes place. As soon as summarization starts working, only one alert is issued for every interval fires for each address set. For the other address sets they are either all seen or separately summarized. The signature reverts to fire-all mode after a period of no alerts for that signature.
  • summary - Fires an alert the first time a signature is triggered. Additional alerts for that signature are summarized for the duration of the summary interval. Only one alert every summary interval should fire for each address set. If the global summary threshold is reached, the signature goes into global-summarization mode. global-summarization - Fires an alert for every summary interval. Signatures can be pre-configured for global-summarization.
  • fire-once - Fires an alert for each address set. This mode can be upgraded to global-summarization mode.

Anytime user see the 0.0.0.0 address used in the victim IP address field it is the result of multiple victim IP addresses being summarized. User may see signatures that will tell you the first 10 or so IP addresses that were summarized by looking at the detailed event. If all summarized signatures details show this, but that would be the only way he/she could imagine to see the IP addresses of past events.

You can edit the signature to change the summarization and force it to fire for each victim IP address. This will result in MANY more signatures firing on your device. Please take this into account if your IPS sensor is already heavily loaded. You can edit the signature to change the summarization and force it to fire for each victim IP address.
Some configuration examples mentioned below:
http://www.cisco.com/c/en/us/support/docs/security-vpn/alarm-notification/116110-config-ips-summarization-00.html 

Scenario 2

An IPS scans packets whereas a malware scanner scans files. With the Cisco IPS, you can configure in either promiscuous or inline modes. In inline mode, the IPS can identify and drop malicious packets before they're unleashed on the network. In promiscuous mode, a copy of each packet is sent to the IPS and malicious packets are identified after they arrive at their destination. This means viruses, malware, etc. can potentially be activated on the network.

A network malware scanner scans for already installed malware. For instance, if a new flavor of malware is sent as an attachment to an email address on your network, the IPS will not pick it up since it doesn't have a signature for it. If the attachment is opened, it's unleashed. If you have periodic scans done with your network malware scanner, this is something it'll pick up.

Source Discussion

IPS Event Victim IP is 0.0.0.0

Configuration examples

Loading.

Actions

This Document