We opened a ticket to have some explanation ; this is what we received :
'It looks that these events are summarized events - so its normal that we see that target address is 0.0.0.0. It means that these alarms are not generated for one event but for multiple events where the source is the same but the destination is different due to what the target is set to 0.0.0.0.
For each signature please ask the customer to check the Alert Frequency. I would expect that they will see that Summary Mode is set to Summarize and that the Summary Key is set to Attacker Address.
If the customer wants to see both source and destination address and to get the alarm for each event they will need to set the Summary Mode to Fire All.'
So I can confirm this correctly describes the situation. When we configure a 'fire all', we have all alarms with full details. When we choose for example summarize on source/destination, then we have those source/destination details and the rest of the alarms are summarized under the same event.
These are summary events. You can confirm this by checking the event message, right after the "sigDetails" field you'll see "summaryEvtCnt" and it will provide you a count of how many events were summarized into that single event message. This occurs on signature that are set to summarize within the signature settings. Generally a non-summarized signature triggers first, then it starts to summarize other events. The summary events might have hit multiple destination addresses, but it displays the 0.0.0.0 Behavior is dependent on what signature your looking at and how it's configured. If you have an application like VMS, check the signature engine, Alert Frequency > Summary Mode to view or overide the signatures summary behavior. Hope this answers your question.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...