Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
1
Replies

IPS/IDS events generated with IP <n/a> instead of ###.###.###.###

Go to solution
jdenis
Level 1
Level 1

‎06-26-2007 11:32 AM - edited ‎03-10-2019 03:40 AM

Hi,

I see events in SecMon with the victim or attacker IP of <n/a>.

How can I filter those events?

I cannot implement an event action filter in the IDM since the <n/a> is not acceptable as a victim or attacker IP.

It's weird that a signature for TCP traffic generates the src or dst as <n/a> since in the IP header there is a src & dst field...

Sig Name: TCP Hijack

Sig ID: 3250

Severity: High

Risk Rating: 85

Sig Version: S212

Attack Type: General Attack

OS Family: General OS

OS: <n/a>

Protocol: tcp

Protocol Details: TCP

Service: <n/a>

Attacker Address: <n/a> <--------

Attacker Port: <n/a> <--------

Attacker Loc: OUT

Attacker Unreliable: False

Victim Address: 198.133.219.25

Victim Port: <n/a> <--------

Thanks,

JP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
attmidsteam
Level 1
Level 1

‎06-26-2007 12:16 PM

These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?

View solution in original post

0 Helpful
1 Reply 1

Go to solution
attmidsteam
Level 1
Level 1

‎06-26-2007 12:16 PM

These weren't summary events, were they? Those could summarize on source or target with the reverse being labeled as '0.0.0.0'. Can you look on the sensor for the raw event and see if that information is present?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card