Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

net sweep echo with destination of 0.0.0.0

We have several sensors at the 3.0(5)S17 level that are reporting net sweep echo (2100) events with a source and/or destination IP of 0.0.0.0. How is this possible? Is this a bug?

4 REPLIES
New Member

Re: net sweep echo with destination of 0.0.0.0

This is not a bug. It is the result of a summary alarm.

Summary alarms on sweeps have targeted multiple victim addresses and there is only one slot for an address in the alarm record, so we chose to zero it out before the alarm is sent.

You can see the summary details (counts) in the data field of the alarm.

You can turn off summary alarms by adjusting the following parameters for the signature 2100:

AlarmThrottle FireAll

ChokeThreshold ANY

Please let us know if this helps,

-JK

New Member

Re: net sweep echo with destination of 0.0.0.0

How do I set ChokeThreshold ANY? nrConfigure does not seem to want to accept a non-numeric value.

New Member

Re: net sweep echo with destination of 0.0.0.0

Instead of just using zero, would it be possible to give a class A, B, or C dot-zero address which encompasses the destinations seen so far? 0.0.0.0 would still be the fallback for a multiple-class-A sweep, I would expect.

This would have immediate application in solving some of the filtering problems. IN and OUT are useless filter modes when 0.0.0.0 is the only thing reported.

New Member

Re: net sweep echo with destination of 0.0.0.0

This brings up a question for me. Assuming that I have not turned off summary addresses, and I have alerts with 0.0.0.0 as the source AND destination, how in the devil can I filter these?

119
Views
0
Helpful
4
Replies
CreatePlease to create content