06-26-2007 11:32 AM - edited 03-10-2019 03:40 AM
Hi,
I see events in SecMon with the victim or attacker IP of <n/a>.
How can I filter those events?
I cannot implement an event action filter in the IDM since the <n/a> is not acceptable as a victim or attacker IP.
It's weird that a signature for TCP traffic generates the src or dst as <n/a> since in the IP header there is a src & dst field...
Sig Name: TCP Hijack
Sig ID: 3250
Severity: High
Risk Rating: 85
Sig Version: S212
Attack Type: General Attack
OS Family: General OS
OS: <n/a>
Protocol: tcp
Protocol Details: TCP
Service: <n/a>
Attacker Address: <n/a> <--------
Attacker Port: <n/a> <--------
Attacker Loc: OUT
Attacker Unreliable: False
Victim Address: 198.133.219.25
Victim Port: <n/a> <--------
Thanks,
JP
Solved! Go to Solution.
06-26-2007 12:16 PM
These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?
06-26-2007 12:16 PM
These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide