Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Event whose target address is 0.0.0.0

Has anyone had an event whose target address is 0.0.0.0? What does it mean?

I am working with IDS 5.1(3) Signature 252

Thanks in advance,

Cristina

2 REPLIES
New Member

Re: Event whose target address is 0.0.0.0

We opened a ticket to have some explanation ; this is what we received :

'It looks that these events are summarized events - so its normal that we see that target address is 0.0.0.0. It means that these alarms are not generated for one event but for multiple events where the source is the same but the destination is different due to what the target is set to 0.0.0.0.

For each signature please ask the customer to check the Alert Frequency. I would expect that they will see that Summary Mode is set to Summarize and that the Summary Key is set to Attacker Address.

If the customer wants to see both source and destination address and to get the alarm for each event they will need to set the Summary Mode to Fire All.'

So I can confirm this correctly describes the situation. When we configure a 'fire all', we have all alarms with full details. When we choose for example summarize on source/destination, then we have those source/destination details and the rest of the alarms are summarized under the same event.

New Member

Re: Event whose target address is 0.0.0.0

I believe this is what you are asking about...

These are summary events. You can confirm this by checking the event message, right after the "sigDetails" field you'll see "summaryEvtCnt" and it will provide you a count of how many events were summarized into that single event message. This occurs on signature that are set to summarize within the signature settings. Generally a non-summarized signature triggers first, then it starts to summarize other events. The summary events might have hit multiple destination addresses, but it displays the 0.0.0.0 Behavior is dependent on what signature your looking at and how it's configured. If you have an application like VMS, check the signature engine, Alert Frequency > Summary Mode to view or overide the signatures summary behavior. Hope this answers your question.

143
Views
14
Helpful
2
Replies