On my Firepower Center Manager, I am seeing the HI_CLIENT_BARE_BYTE alert/event with bogus IPs that are not within my network, In example with source IP 0.0.0.0 as well as 8.0.0.0 and others to random external IPs most of which either private range or showing to other countries. I have fairly close circuit network with no direct internet access i.e. enclave behind corporate intranet, and everything is restricted in and out for direct purpose, Host, IPs, etc. no generic internet traffic.

Now, one thing I noticed is that the event from source 0.0.0.0 had packet data associated, so when I looked at the frames, I could see a different source and destination which was our squid proxy server going out to another corporate proxy, which is normal approved traffic, then when I expanded and looked at the packet text data, I could see part of URL that referenced intelligence.sourcefire.com, so I disabled the feed retrieval for the security intelligence to see what would happen, and the alerts went away from 0.0.0.0....what the heck is causing firepower to display alert for 0.0.0.0 to a 160.246.xx. address in Japan, if the packet data says the source of our real internal proxy and the real external proxy and to a cisco/source fire feed???

Now the other random unknown source addresses have no packet capture data, so I can't find or don't know what is causing them and they don't exist on our network and usually not complete address.

The other thing is that on my actual ASA firewall logs, there are no access or denies for any of the attempted connections that Firepower IPS claims to see....

Has anyone else experience or seen this, I'm thinking either bug in firepower or something with our squid proxy server that is confusing the IPS.