Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
11
Helpful
3
Replies

CS-Mars Query ?

thornick
Level 1
Level 1

‎06-20-2006 08:28 AM - edited ‎03-09-2019 03:19 PM

Running vs. 4.1 ... When I run a query on a specific clients source IP address, I am getting alot of Destination IP of 0.0.0.0 .... is this normal? Is there something I am missing in configuration?

Labels:
0 Helpful
3 Replies 3

a.kiprawih
Level 7
Level 7

‎06-20-2006 12:05 PM

Hi,

It's normal, as it was generated by the device itself. This is why you see the 0.0.0.0 can either be a source or destination IP.

Same goes to interface up/down for a device where if the device itself is sending log to MARS, you'll see the same 0.0.0.0 appear.

Rgds,

AK

JUCETA
Level 1
Level 1

‎09-10-2006 11:11 PM

Hi,

It's normal. I guess you're getting information from logon events (authentication failure, Windows 2000 login sucessful, etc) That's because there're some event logs without IP information and traffic used is not IP routed (NetBIOS, p.e.) In this manner, if you look at the raw message you'll see the logon information (username, password, domain controller like reporting device, etc)

It's normal.

Good luck!

thornick
Level 1
Level 1
In response to JUCETA

‎09-11-2006 04:39 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents