Why does the AIP-SSM report many 0.0.0.0 addresses?

bnidacoc · ‎09-02-2008

I find so many events listing on the sensor that report numerous events which list the source and/or destination as 0.0.0.0. In this event, the â€œattackerâ€ is a known and permitted host. However, my ACLs do not permit it â€œanyâ€. I have no idea why so many events have the attacker or the victim as 0.0.0.0.

This is just too odd. I do not believe that all of the ISPs in the path are forwarding 0.0.0.0 to us. I also have no reason to believe the 3-4 ISPs between this â€œattackerâ€ and us have coordinated for send 0.0.0.0 to us.

evIdsAlert: eventId=1214480258083636677 vendor=Cisco severity=informational

originator:

hostId: [REMOVED]

appName: sensorApp

appInstanceId: 400

time: September 2, 2008 2:11:37 PM UTC offset=-240 timeZone=GMT-05:00

signature: description=Data Base TNS Connection id=7000 version=S262

subsigId: 0

sigDetails: Connection Detected

marsCategory: Info/Misc/DB

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 69.1.x.y [MODIFIED] locality=OUT

port: 0

target:

addr: 0.0.0.0 locality=OUT

port: 0

os: idSource=unknown type=unknown relevance=unknown

summary: 4 final=true initialAlert=0 summaryType=Regular

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ; Regular Summary: 4 events this interval ;

riskRatingValue: 13 targetValueRating=medium

threatRatingValue: 13

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: tcp

Farrukh Haroon · ‎09-02-2008

This is because of 'summary' events. Since there are MORE than one target(s) the IPS is showing them as 0.0.0.0. Look at your event more closely and you will see this:

"Summary: 4 events this interval ; " (5th last line)

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc15a36/0#selected_message

Regards

Farrukh

bnidacoc · ‎03-05-2009

Thanks, BTW,

I understand your response. However, this is still a matter of debate in our organization. On our system we have this firing (well, numerous others and new ones since) on one host to one host connections over one TCP port. The ACLs do not allow that source host to perform any other DB connections to other hosts. I have written EAF policies to subtract alerts of known, permitted host IP to host IP connections, but I just do not think I should write EAFs to subtract events with a target of zeros because this host is NOT establishing multiple actions as the ACLs are very restrictive and do not allow it in the first place.

So, I see not why the summary has to obscure the target when the target is only one host.

Is there no way Cisco can issue a summary alert when there is only one source IP and one target IP and not obscure anything with zeros?

marcabal · ‎03-05-2009

This is configurable on the signature itself.

Here is the current summary settings for the signature:

alert-frequency

-----------------------------------------------

summary-mode

-----------------------------------------------

summarize

-----------------------------------------------

summary-interval: 15

summary-key: Axxx

specify-global-summary-threshold

The Summary-Key being Axxx specifically tells the sensor to count the alarms based solely on the Source address, and so the Destination address will be 0.0.0.0 because it is not tracking the destination address.

The Summary Key can be changed to AxBx. Now instead of counting based solely on the Source address, it will instead now count on unique pairs of Source and Destination addresses. And you will get a separate summary alert for each pair of addresses, and both source and desintation addresses should be filled in for the summary alert.

bnidacoc · ‎03-06-2009

Thanks, I modified one alert that fires on 0.0.0.0 and I haven't seen one since. But I may not have chosen a frequent alert sig. I will select a frequent alert and evaluate.

For the anti-Cisco people amongst me, is this matter documented outside of a forum discussion, like in a technote, configuration guide, etc... I've looked at the titles of articles in the config examples and technotes section and searched through the immense document titled "Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.1."

Thanks.