Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Net-Sweep Echo 2100/0

Hi guys again,

After upgrading to 3.0(2)S6 and then 3.0(2)S7, I noticed that now Net-Sweep Echoes show up (2100) as alarms in the browser.

However, all of them have Source and Destination of 0.0.0.0 -- any clues as to why this is malfunctioining?

Brenden

2 REPLIES
Cisco Employee

Re: Net-Sweep Echo 2100/0

This would appear to be the Global Summary feature new in 3.0.

When the sensor starts seeing too many of one type of alarm it will go into a Global Summary mode, in which case it reports the addresses as all 0s as it's way of letting you know that it is happening for many different address combinations.

Check the details field and you should see the phrase Global Summary with a listing of how many alarms of that type the sensor is seeing.

According to the parameters listed by SigWizMenu it would go from Summary to Global Summary mode when the number of alarms reaches 200 (2 times the ChokeTheshold of 100) within 30 seconds (the Throttle Interval).

___________________________________________________________________________

Current Signature: Engine SWEEP.HOST.ICMP SIGID 2100

SigName: Net Sweep-Echo

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmThrottle = Summarize

2 - ChokeThreshold = 100

3 - FlipAddr =

4 * IcmpType = 8

5 - MaxInspectLength =

6 - MinHits =

7 - ResetAfterIdle = 20

8 - SigComment =

9 - SigStringInfo =

10 - ThrottleInterval = 30

11 * Unique = 5

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

To learn more about the Summary and Global Summary modes refer to:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/13346_01.htm#xtocid228675

You change any of the above parameters for this signature using the SigWizMenu program, for example you could change the mode from Summary to FireOnce.

If the alarm is not a Global Summary mode alarm then we will have to investigate further.

If you believe the alarm is incorrectly going into Global Summary mode then we would need to investigate further.

To investigate we would need the log file entries for the alarm with the 0.0.0.0 ips and all other 2100 alarms prior to that alarm, and I would recommend opening a TAC case to track it and be able to send the files to the engineers without having to post them to this forum.

New Member

Re: Net-Sweep Echo 2100/0

Thanks so much for the explanation. It makes sense now. :-)

159
Views
0
Helpful
2
Replies