Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Network 0.0.0.0 in IPS alerts

Good afternoon:

I have a Cisco IPS 4240 sensor. This appliance is generating alerts with the network 0.0.0.0 as attacker and victim.

Example:

Severity informational

Application Name sensorApp

Event Time 02/20/2009 12:26:19

Sensor Local Time 01/20/2009 12:26:19

Signature ID 1330

Signature Sub-ID 16

Signature Name TCP Drop - PAWS check failed

Signature Version S248

Signature Details TCP Packet segment failed PAWS check

Attacker IP 0.0.0.0

Target IP 0.0.0.0

Target Port 0

Target Locality OUT

Someone can tell me. What can say this.

Thank's in advanced.

1 REPLY

Re: Network 0.0.0.0 in IPS alerts

This generally happens when in Summary Mode the alerts

are coming from a large number of Attacker or are directed to large number of Victim IPs.

So instead of trying to show perhaps thousands of IPs in the attacker and/or victim address fields, the field will be populated with only 0.0.0.0.

If you want to see an alert for each time it is triggered, you

can reconfigure the signature and set it to FireAll mode with no Summary

Threshold.

Syed

779
Views
5
Helpful
1
Replies
CreatePlease to create content