Glad to see that you are using this feature already.
There is currently no automated way to use this feature, but the Unix director will be released shortly with a GUI based version of the Signature Wizard. I do not know the specifics as to the timing of their release.
The 2.2.2a director will not display any custom signatures that you add as it does not know how to view or interpret them. Once again the timing of this release is not known to me.
Signature 994 and 995 were added to alert the users to whether or not the sensor is currently seeing traffic. 994 fires when the sensor is either initally started and begins to receive traffic or after a long period of not having seen traffic and the traffic restarts. 995 is the mirror image of this and alarms after a user tunable time threshold of not having any traffic on the NIC. The default is 90 seconds of no traffic. This value can be Modified in the SiWizMenu program under the Other 3.X tokens selection.
I need more information to answer the 0.0.0.0 src address question as this is expected behavior for some signatures and not for others. Which signatures do you have reporting this way?
After reviewing this a little closer there is a legitimate way for this situation to occur. The 3.0 sensors have built-in to them the ability to rate limit alarms. The method that they follow is complicated, but if the alarm rate for a particular signature type is high enough the sensor will set that alarm type into "Global Summary Mode". In this mode you will no longer get IP addresses as this is an aggregation alarm, however, there should be a message to the effect that this is a summary alarm and how many events it has aggregated in this message. The info field in the alarm message is used for this summary info. You did not include this field in your previous posting so I can not tell for sure whether or not this is a summary message. Could you please include an entire log entry from one of the alarms in question?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :