Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS/IDS events generated with IP <n/a> instead of ###.###.###.###

Hi,

I see events in SecMon with the victim or attacker IP of <n/a>.

How can I filter those events?

I cannot implement an event action filter in the IDM since the <n/a> is not acceptable as a victim or attacker IP.

It's weird that a signature for TCP traffic generates the src or dst as <n/a> since in the IP header there is a src & dst field...

Sig Name: TCP Hijack

Sig ID: 3250

Severity: High

Risk Rating: 85

Sig Version: S212

Attack Type: General Attack

OS Family: General OS

OS: <n/a>

Protocol: tcp

Protocol Details: TCP

Service: <n/a>

Attacker Address: <n/a> <--------

Attacker Port: <n/a> <--------

Attacker Loc: OUT

Attacker Unreliable: False

Victim Address: 198.133.219.25

Victim Port: <n/a> <--------

Thanks,

JP

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: IPS/IDS events generated with IP <n/a> instead of ###.###.##

These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?

1 REPLY
Silver

Re: IPS/IDS events generated with IP <n/a> instead of ###.###.##

These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?

156
Views
0
Helpful
1
Replies
CreatePlease to create content