Choose the 'Advanced Search' option and enter the signature ID. This should help you better understand the specifics of the signatures that are firing.
In regard to the missing data in the CS-MARS incidents, if the firing signatures are summary events, some details are consolidated to 0.0.0.0 for the IP address and 0 for the port information. In these instances, CS-MARS cannot provide any further information since the raw event has no additional details. Could you provide the raw message or one or two of these events for confirmation?
That is certainly indicative of a summarized signature event. If you look further into the raw message, you should see indication that this is a summary event, as well as the initial trigger event ID. You may be able to determine a single source from the initial event - but in most instances, these events are generated due to behavior of the attacker, and you would want to investigate the attacker/source of the event if it is located within your control. If you really want to investigate each, and every occurrence of the attack, you could disable summarization on the signature in question (set the Summary Mode to 'Fire All'). This has the potential to generate a large number of events, and should not be used long-term. For the specific TCP Hijack signature, there are benign triggers explained on our IntelliShield site:
It is always good to be concerned over any incident that is reported prior to any investigation by yourself to understand the implications. Upon determination of the underlying cause of the signature event, you may wish to continue getting alerts on the event, or you could create an event action filter on the IPS to stop alerting for specific IP addresses, or create a drop rule in the CS-MARS to only log the event to the database (or drop completely).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...