Not for coalesced source addresses. When the coalescer does data reduction, it just blindly sticks 0.0.0.0, it doesn't try to do what you say. The reason for this was to clearly have a marker to indicate that the source address is spoofed -- to be able to report on all "spoofed" attacks.
However, the situation becomes much more difficult for IPv6. The current product supports IPv6 -- though it sticks the real IPv6 as "name=value" pairs (one of the odd features of RealSecure is that it decorates events with additional information that you can see when you view the event details). We've planned to do something more interesting with coalesced addresses when we also add support for IPv6. (As you probably know, we just use a 32-bit integer to represent IPv4 addresses, which doesn't work for IPv6). Note that we do indeed do what you describe for DESTINATION addresses, e.g. ServiceSweep, with additional name=value pairs to describe what we've done with the addresses. --- Talisker <[EMAIL PROTECTED]> wrote: > Hi Graham > Do the 16+ addressees have to have a variation across all 4 IP octets. For > instance where I see multiple addressees where only the last 2 octets vary > then the address will be represented as 192.168.0.0. and 3 octets as > 192.0.0.0. Therefore I see a reported address of 0.0.0.0 as a variation in > all 4 octets. Sounds minor I know but when you run a class A address the > difference is crucial.. > > take care > -andy > Taliskers Network Security Tools > http://www.networkintrusion.co.uk > ----- Original Message ----- > From: "Graham, Robert (ISS Atlanta)" <[EMAIL PROTECTED]> > To: "CHO" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Monday, March 31, 2003 10:17 PM > Subject: RE: [ISSForum] source 0.0.0.0 > > > > The IP address "0.0.0.0" means that "we are unsure of the exact source"; > it doesn't mean that the address 0.0.0.0 was actually seen on the wire. > > > > The biggest source of this is from the "coalescer" on the sensor. The > basic purpose of the coalescer is to combine identical events in to a single > event with a "repeat-count". However, if somebody spoofs their IP address > and floods the sensor, then such logic wouldn't successfully coalesce > events, which would then fill up your database. Therefore, the coalescer has > logic that triggers when the same event comes in from more than 16 > sources -- then changes the source to 0.0.0.0. In practice, this has made a > major difference in survivability of the sensor vs. worms and DDoS attacks, > though it didn't work as well for Slammer as we hoped (something we are > fixing in the next major XPU). > > > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > CHO > > Sent: Monday, March 31, 2003 8:42 AM > > To: [EMAIL PROTECTED] > > Subject: [ISSForum] source 0.0.0.0 > > > > > > I am getting a lot of events comming from IP-Adress 0.0.0.0 > > Various events.... > > What can that be ? Is somebody in here, try to crack the hell out of our > net??? or is it just normal?? > > How can it appear in normal traffic? > > > > > > CHO-Chief Hacking Officer > > > > Wir ertrinken in Information, aber hungern nach WISSEN! > > > > > > > > > > Gesendet von http://mail.yahoo.de. > > Das DiBa-Tagesgeldkonto: 3,5% Zinsen ab dem ersten Euro + > > Tankgutschein nur noch bis 31.03. Lassen Sie Ihr Geld arbeiten! Bei > > t�glicher Verf�gbarkeit und kostenloser Kontof�hrung. > > > > _______________________________________________ > > ISSForum mailing list > > [EMAIL PROTECTED] > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
