Piotr, That explains what I see. Thanks for your veryhelpful explanation.
On Mon, Nov 11, 2013 at 11:24 PM, Piotr Kaluzny <pio...@ipexpert.com> wrote: > With the Summary Mode set to "Summarize" (what you did), you will always > see a first alert for the Attacker and then at the end of the interval a > so-called Summary which is a collective-like log for all events seen > generated based on *Summary Key*. Since your Summary Key is "Attacker", it > means that you only care about the IP address of the Attacker (in the > Summaries), and not the IP address of the Victim. > > Example - 7.7.3.10 attacked 1.2.3.4 twice and 2.3.4.5 3 times. What you > would see at the end of the Interval is a Summary Log for 7.7.3.10 with the > total number of Events of 2+3=5. So this is when IPS is telling you that it > has seen 5 attacks from 7.7.3.10 total, no matter how many victims there > was in this interval (it replaces Victims' IPs with 0.0.0.0). > > > Regards, > > Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> > CCIE # 25665 :: Security > *:: World-Class Cisco Certification Training* > > Direct: +1.810.332.1444 > :: Free Videos <http://www.youtube.com/ipexpertinc> > :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> > :: CCIE Blog <http://blog.ipexpert.com/> > :: Twitter <https://twitter.com/ipexpert> > > > On Tue, Nov 12, 2013 at 2:27 AM, jeremy co <jeremy.coo...@gmail.com>wrote: > >> IM not sure what u mean by "Don't you have any Target Value Rating >> associated with the victim which would bump the RR in the regular event?" >> >> The only thing that I did was following sig wizard. so if u mean adding >> any extra rating to victim (150.1.7.20) .NO >> >> Here is the screenshot of my custom sig. It hits the specific ip address >> but *my problem is why it hist 0.0.0.0 ?* >> >> >> On Mon, Nov 11, 2013 at 5:01 PM, Piotr Kaluzny <pio...@ipexpert.com>wrote: >> >>> Hi >>> >>> This is a summary - looks like the Summary Key was set to the Attacker's >>> address which means that you don't care who the Victim is when you generate >>> a Summary (Summaries are based on Attackers). >>> >>> Don't you have any Target Value Rating associated with the victim which >>> would bump the RR in the regular event? >>> >>> Regards, >>> >>> Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> >>> CCIE # 25665 :: Security >>> *:: World-Class Cisco Certification Training* >>> >>> Direct: +1.810.332.1444 >>> :: Free Videos <http://www.youtube.com/ipexpertinc> >>> :: Free Training / Product Offerings<https://www.facebook.com/IPexpert> >>> :: CCIE Blog <http://blog.ipexpert.com/> >>> :: Twitter <https://twitter.com/ipexpert> >>> >>> >>> On Tue, Nov 12, 2013 at 1:06 AM, jeremy co <jeremy.coo...@gmail.com>wrote: >>> >>>> Hi, >>>> >>>> >>>> ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20) >>>> >>>> I configured a custom signature for syslog messaging between host A and >>>> B. >>>> >>>> ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose >>>> to pick this up. >>>> >>>> I can see ips sig triggers when it sees from ipA to IPB port 514 with >>>> "alert high 85" >>>> >>>> >>>> evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high >>>> alarmTraits=32768 >>>> originator: >>>> hostId: IPS >>>> appName: sensorApp >>>> appInstanceId: 1203 >>>> time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC >>>> signature: description=syslog id=61000 version=custom >>>> type=other created=20000101 >>>> subsigId: 0 >>>> sigDetails: My Sig Info >>>> interfaceGroup: vs0 >>>> vlan: 3 >>>> participants: >>>> attacker: >>>> addr: 7.7.3.10 locality=OUT >>>> port: 514 >>>> target: >>>> addr: 150.1.7.20 locality=OUT >>>> port: 514 >>>> os: idSource=unknown type=unknown relevance=relevant >>>> riskRatingValue: 85 targetValueRating=medium >>>> attackRelevanceRating=relevant >>>> threatRatingValue: 85 >>>> interface: ge0_0 >>>> protocol: udp >>>> >>>> ------------------------------------------------------------------------------------------------------------------------- >>>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >>>> >>>> ------------------------------------------------------------------------------------------------------------------------- >>>> >>>> *PROBLEM: * >>>> >>>> I can see the same sign triggered with the following: (alert 75 and >>>> destination 0.0.0.0) >>>> >>>> *What is 0.0.0.0 is doing here? I never configured it on my custom >>>> sig.and why alert level is 75 ? and on the above one is 85 ? my original >>>> config is 75.* >>>> >>>> >>>> evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high >>>> alarmTraits=32768 >>>> originator: >>>> hostId: IPS >>>> appName: sensorApp >>>> appInstanceId: 1203 >>>> time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC >>>> signature: description=syslog id=61000 version=custom >>>> type=other created=20000101 >>>> subsigId: 0 >>>> sigDetails: My Sig Info >>>> interfaceGroup: vs0 >>>> vlan: 3 >>>> participants: >>>> attacker: >>>> addr: 7.7.3.10 locality=OUT >>>> port: 0 >>>> target: >>>> addr: 0.0.0.0 locality=OUT >>>> port: 0 >>>> os: idSource=unknown type=unknown relevance=unknown >>>> summary: 8 final=true initialAlert=1376465320547002492 >>>> summaryType=Regular >>>> alertDetails: Regular Summary: 8 events this interval ; >>>> riskRatingValue: 75 targetValueRating=medium >>>> threatRatingValue: 75 >>>> interface: ge0_0 >>>> protocol: udp >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>>> >>>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>>> >>> >>> >> >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
