Impossible IP Packet saddress 0.0.0.0, daddress 0.0.0.0 - sig1102

tranquocphu · ‎05-06-2011

Hi All

I implemented Cisco 4260 appliance five months ago. It was set up as promiscuous mode. For the last 3 weeks, I received impossible ip packet alerts on IPS Event Monitoring. Source IP (0.0.0.0) - Destination IP (0.0.0.0), port 137, 138. To my perspective, it is not considered as a LAND attack. It may or may not be true. According to the IPS explanation, some Ethernet frames with an unknown protocol type may cause benign triggers. There is no service interuption for now. I can create an event action filters to filter or ignore that traffic. Is that a best practice? I would like to know about that traffic. I have no clues. I can't capture that traffic from the IME. I attached screenshots for you to review. Thanks for your help.

mmandeka · ‎05-17-2011

Hi Peter,

In the snap shot you have attached, i see the source ip, destination ip, source port and destination port being set to 0.

This does not mean that you are actually gettting packets with these parameters.

If you look at the alert, you will see that this is a summary alert. The alerts where the src/destn ip/port is 0 are summary alerts. This is an alert summarizing NN alerts seen over period Z that the sensor has generated an alert for. check the summary-mode and summary varaible under alert-frequency for the signature config. All the packets that match this signature will have all the actions performed on them, but the notification will depend on whether its an actual alert or a summary alert.

Global Summarization mode fires an alert for every summary interval.

Let me know if you have any further queries.

Regards,

Manisha Mandekar