Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
2
Replies

IPS sensor event reporting showing source ip 10.5.5.5 victim ip 0.0.0.0- does 0.0.0.0 mean a broadcast?

Go to solution
cminton_ERS
Level 1
Level 1

‎09-21-2011 09:07 AM - edited ‎03-10-2019 05:29 AM

We have a internal node  in the environment and  our IPS is catching in the event logs stating it is sending traffic to victim ip 0.0.0.0.  I am assuming that 0.0.0.0 means a broadcast, is this correct?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rhermes
Level 7
Level 7

‎09-21-2011 12:15 PM

No, 0.0.0.0 is used as a summary address. If the signature was a port scan for example, the victim IP addresses may be too numerous to list, so Cisco uses the 0.0.0.0 address to indicate that is has summarized multiple addresses into that field.

- Bob

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rhermes
Level 7
Level 7

‎09-21-2011 12:15 PM

No, 0.0.0.0 is used as a summary address. If the signature was a port scan for example, the victim IP addresses may be too numerous to list, so Cisco uses the 0.0.0.0 address to indicate that is has summarized multiple addresses into that field.

- Bob

0 Helpful

Go to solution
cminton_ERS
Level 1
Level 1
In response to rhermes

‎09-21-2011 12:18 PM

awesome thx!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card