cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

776
Views
0
Helpful
1
Replies
Highlighted
Beginner

IPS log displays threats with source and dest 0.0.0.0

Hi,

We have a ips 4270 which reports a lot of threats with source and dest 0.0.0.0. Why is that, can't it solve these addresses?

Example:

Receive Time          Severity          Event Type ID          Event Name          Device          Source          Source Service          Destination          Destination Service          Action          Risk Rating          Description

8/17/11 9:18:45 AM          High (IPS)          4703/0          MSSQL Resolution Service Stack Overflow          IPS-DEB1-1 vs1          0.0.0.0          udp/0          0.0.0.0          udp/0                    100          MSSQL Resolution Service Stack Overflow

8/17/11 8:30:09 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 7:30:09 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 6:30:04 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 5:30:04 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 4:29:56 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 3:29:56 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 2:29:55 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 1:29:55 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/17/11 12:29:55 AM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

8/16/11 11:29:54 PM          Low (IPS)          11020/1          BitTorrent Client Activity          IPS-DEB1-1 vs1          0.0.0.0          tcp/0          0.0.0.0          tcp/0                    50          BitTorrent Protocol

Thanx,

Marc

1 REPLY 1
Highlighted
Beginner

Marc,

It looks like those are summerized alerts.  Have you had a chance to look at the raw alerts?  I suspect the actual alerts will give you the applicable IP addresses.

If they are indeed being summerized and you wan to see each alert individually, you can disable summerization in the signature.  Hope this helps.

Jonathan

Content for Community-Ad