Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

target address 0.0.0.0

I'm running my IDSM in promiscuous mode and creating event action filters to filter benign events. I'm seeing quite a few events (several different signatures) with target ip addr of 0.0.0.0. An example is:

signature: description=TCP Drop - RST or SYN in Window id=1330

target: addr: 0.0.0.0 locality=OUT port: 0

Can anyone tell me the meaning of this?

1 REPLY
Silver

Re: target address 0.0.0.0

0.0.0.0 as a target means the signature entered regular or global summary mode. When this happens, you'll get the initial alert with full source & target info, and then a follow on summary event (usually for a 30 second window by default) with a count of how often the source address triggered an event. Since the target could be different in the summary, it display it as 0.0.0.0.

This behavior is tunable by editing the signature and choosing the summary-key of attacker & victim (to prevent 0.0.0.0 as a target). You can also change the summary-interval and choose a number larger than 30 (in seconds - to get longer summary intervals).

Hope this helps.

273
Views
10
Helpful
1
Replies
CreatePlease to create content