Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sig SYN Flood DOS id="6009" dest address 0.0.0.0

Hi, All!

I receive sig 6009 with destination address 0.0.0.0:

evIdsAlert: eventId="1244180117471597849" severity="medium" vendor="Cisco"

originator:

hostId: IDS

appName: sensorApp

appInstanceId: 413

time: Jul 6 2009 14:18:14 EEST (1246879094502611000) offset="180" timeZone="UTC"

signature: created="20060220" type="anomaly" version="S214" description="SYN Flood DOS" id="6009"

subsigId: 0

sigDetails: SYN Flood DOS

marsCategory: DoS/Host

marsCategory: DoS/Network/TCP

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 192.168.155.72 locality="OUT"

port: 0

target:

addr: 0.0.0.0 locality="OUT"

port: 0

os: idSource="unknown" relevance="unknown" type="unknown"

summary: 3 final="true" initialAlert="1244180117471597835" summaryType="Regular"

alertDetails: Regular Summary: 3 events this interval ;

riskRatingValue: 63 targetValueRating="medium"

threatRatingValue: 63

interface: fe0_1

protocol: tcp

I cannot get at the meaning - address 0.0.0.0?

It`s bug?

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Sig SYN Flood DOS id="6009" dest address 0.0.0.0

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

2 REPLIES
Gold

Re: Sig SYN Flood DOS id="6009" dest address 0.0.0.0

No, it's not a bug. The scanning signatures summerize the attacked addresses into 0.0.0.0

This is because in scans there are a LOT of dezstination addresses that are hit inorder to fire the signature but there is only one attacked address field in ever signature.

New Member

Re: Sig SYN Flood DOS id="6009" dest address 0.0.0.0

Thank you very much for the info!

384
Views
0
Helpful
2
Replies