Hi This is a summary - looks like the Summary Key was set to the Attacker's address which means that you don't care who the Victim is when you generate a Summary (Summaries are based on Attackers).
Don't you have any Target Value Rating associated with the victim which would bump the RR in the regular event? Regards, Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> CCIE # 25665 :: Security *:: World-Class Cisco Certification Training* Direct: +1.810.332.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <https://twitter.com/ipexpert> On Tue, Nov 12, 2013 at 1:06 AM, jeremy co <[email protected]> wrote: > Hi, > > > ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20) > > I configured a custom signature for syslog messaging between host A and B. > > ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose to > pick this up. > > I can see ips sig triggers when it sees from ipA to IPB port 514 with > "alert high 85" > > > evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high > alarmTraits=32768 > originator: > hostId: IPS > appName: sensorApp > appInstanceId: 1203 > time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC > signature: description=syslog id=61000 version=custom type=other > created=20000101 > subsigId: 0 > sigDetails: My Sig Info > interfaceGroup: vs0 > vlan: 3 > participants: > attacker: > addr: 7.7.3.10 locality=OUT > port: 514 > target: > addr: 150.1.7.20 locality=OUT > port: 514 > os: idSource=unknown type=unknown relevance=relevant > riskRatingValue: 85 targetValueRating=medium > attackRelevanceRating=relevant > threatRatingValue: 85 > interface: ge0_0 > protocol: udp > > ------------------------------------------------------------------------------------------------------------------------- > $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ > > ------------------------------------------------------------------------------------------------------------------------- > > *PROBLEM: * > > I can see the same sign triggered with the following: (alert 75 and > destination 0.0.0.0) > > *What is 0.0.0.0 is doing here? I never configured it on my custom sig.and > why alert level is 75 ? and on the above one is 85 ? my original config is > 75.* > > > evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high > alarmTraits=32768 > originator: > hostId: IPS > appName: sensorApp > appInstanceId: 1203 > time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC > signature: description=syslog id=61000 version=custom type=other > created=20000101 > subsigId: 0 > sigDetails: My Sig Info > interfaceGroup: vs0 > vlan: 3 > participants: > attacker: > addr: 7.7.3.10 locality=OUT > port: 0 > target: > addr: 0.0.0.0 locality=OUT > port: 0 > os: idSource=unknown type=unknown relevance=unknown > summary: 8 final=true initialAlert=1376465320547002492 > summaryType=Regular > alertDetails: Regular Summary: 8 events this interval ; > riskRatingValue: 75 targetValueRating=medium > threatRatingValue: 75 > interface: ge0_0 > protocol: udp > > > > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
