09-02-2008 06:45 AM - edited 03-10-2019 04:16 AM
I find so many events listing on the sensor that report numerous events which list the source and/or destination as 0.0.0.0. In this event, the âattackerâ is a known and permitted host. However, my ACLs do not permit it âanyâ. I have no idea why so many events have the attacker or the victim as 0.0.0.0.
This is just too odd. I do not believe that all of the ISPs in the path are forwarding 0.0.0.0 to us. I also have no reason to believe the 3-4 ISPs between this âattackerâ and us have coordinated for send 0.0.0.0 to us.
evIdsAlert: eventId=1214480258083636677 vendor=Cisco severity=informational
originator:
hostId: [REMOVED]
appName: sensorApp
appInstanceId: 400
time: September 2, 2008 2:11:37 PM UTC offset=-240 timeZone=GMT-05:00
signature: description=Data Base TNS Connection id=7000 version=S262
subsigId: 0
sigDetails: Connection Detected
marsCategory: Info/Misc/DB
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: 69.1.x.y [MODIFIED] locality=OUT
port: 0
target:
addr: 0.0.0.0 locality=OUT
port: 0
os: idSource=unknown type=unknown relevance=unknown
summary: 4 final=true initialAlert=0 summaryType=Regular
alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 4 events this interval ;
riskRatingValue: 13 targetValueRating=medium
threatRatingValue: 13
interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1
protocol: tcp
09-02-2008 08:03 AM
This is because of 'summary' events. Since there are MORE than one target(s) the IPS is showing them as 0.0.0.0. Look at your event more closely and you will see this:
"Summary: 4 events this interval ; " (5th last line)
Regards
Farrukh
03-05-2009 06:25 AM
Thanks, BTW,
I understand your response. However, this is still a matter of debate in our organization. On our system we have this firing (well, numerous others and new ones since) on one host to one host connections over one TCP port. The ACLs do not allow that source host to perform any other DB connections to other hosts. I have written EAF policies to subtract alerts of known, permitted host IP to host IP connections, but I just do not think I should write EAFs to subtract events with a target of zeros because this host is NOT establishing multiple actions as the ACLs are very restrictive and do not allow it in the first place.
So, I see not why the summary has to obscure the target when the target is only one host.
Is there no way Cisco can issue a summary alert when there is only one source IP and one target IP and not obscure anything with zeros?
03-05-2009 09:42 AM
This is configurable on the signature itself.
Here is the current summary settings for the signature:
alert-frequency
-----------------------------------------------
summary-mode
-----------------------------------------------
summarize
-----------------------------------------------
summary-interval: 15
summary-key: Axxx
specify-global-summary-threshold
The Summary-Key being Axxx specifically tells the sensor to count the alarms based solely on the Source address, and so the Destination address will be 0.0.0.0 because it is not tracking the destination address.
The Summary Key can be changed to AxBx. Now instead of counting based solely on the Source address, it will instead now count on unique pairs of Source and Destination addresses. And you will get a separate summary alert for each pair of addresses, and both source and desintation addresses should be filled in for the summary alert.
03-06-2009 05:50 AM
Thanks, I modified one alert that fires on 0.0.0.0 and I haven't seen one since. But I may not have chosen a frequent alert sig. I will select a frequent alert and evaluate.
For the anti-Cisco people amongst me, is this matter documented outside of a forum discussion, like in a technote, configuration guide, etc... I've looked at the titles of articles in the config examples and technotes section and searched through the immense document titled "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.1."
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide