With the Summary Mode set to "Summarize" (what you did), you will always see a first alert for the Attacker and then at the end of the interval a so-called Summary which is a collective-like log for all events seen generated based on *Summary Key*. Since your Summary Key is "Attacker", it means that you only care about the IP address of the Attacker (in the Summaries), and not the IP address of the Victim.
Example - 7.7.3.10 attacked 1.2.3.4 twice and 2.3.4.5 3 times. What you would see at the end of the Interval is a Summary Log for 7.7.3.10 with the total number of Events of 2+3=5. So this is when IPS is telling you that it has seen 5 attacks from 7.7.3.10 total, no matter how many victims there was in this interval (it replaces Victims' IPs with 0.0.0.0). Regards, Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> CCIE # 25665 :: Security *:: World-Class Cisco Certification Training* Direct: +1.810.332.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <https://twitter.com/ipexpert> On Tue, Nov 12, 2013 at 2:27 AM, jeremy co <jeremy.coo...@gmail.com> wrote: > IM not sure what u mean by "Don't you have any Target Value Rating > associated with the victim which would bump the RR in the regular event?" > > The only thing that I did was following sig wizard. so if u mean adding > any extra rating to victim (150.1.7.20) .NO > > Here is the screenshot of my custom sig. It hits the specific ip address > but *my problem is why it hist 0.0.0.0 ?* > > > On Mon, Nov 11, 2013 at 5:01 PM, Piotr Kaluzny <pio...@ipexpert.com>wrote: > >> Hi >> >> This is a summary - looks like the Summary Key was set to the Attacker's >> address which means that you don't care who the Victim is when you generate >> a Summary (Summaries are based on Attackers). >> >> Don't you have any Target Value Rating associated with the victim which >> would bump the RR in the regular event? >> >> Regards, >> >> Piotr Kaluzny : Sr Instructor : iPexpert <http://www.ipexpert.com> >> CCIE # 25665 :: Security >> *:: World-Class Cisco Certification Training* >> >> Direct: +1.810.332.1444 >> :: Free Videos <http://www.youtube.com/ipexpertinc> >> :: Free Training / Product Offerings <https://www.facebook.com/IPexpert> >> :: CCIE Blog <http://blog.ipexpert.com/> >> :: Twitter <https://twitter.com/ipexpert> >> >> >> On Tue, Nov 12, 2013 at 1:06 AM, jeremy co <jeremy.coo...@gmail.com>wrote: >> >>> Hi, >>> >>> >>> ASA1/2 (7.7.3.10) ------IPS----------- SYSLOG SERVER (150.1.7.20) >>> >>> I configured a custom signature for syslog messaging between host A and >>> B. >>> >>> ASA1/ASA2 are in active/standby mode producing syslogs and IPS suppose >>> to pick this up. >>> >>> I can see ips sig triggers when it sees from ipA to IPB port 514 with >>> "alert high 85" >>> >>> >>> evIdsAlert: eventId=1376465320547002492 vendor=Cisco severity=high >>> alarmTraits=32768 >>> originator: >>> hostId: IPS >>> appName: sensorApp >>> appInstanceId: 1203 >>> time: Nov 11, 2013 22:12:19 UTC offset=0 timeZone=UTC >>> signature: description=syslog id=61000 version=custom type=other >>> created=20000101 >>> subsigId: 0 >>> sigDetails: My Sig Info >>> interfaceGroup: vs0 >>> vlan: 3 >>> participants: >>> attacker: >>> addr: 7.7.3.10 locality=OUT >>> port: 514 >>> target: >>> addr: 150.1.7.20 locality=OUT >>> port: 514 >>> os: idSource=unknown type=unknown relevance=relevant >>> riskRatingValue: 85 targetValueRating=medium >>> attackRelevanceRating=relevant >>> threatRatingValue: 85 >>> interface: ge0_0 >>> protocol: udp >>> >>> ------------------------------------------------------------------------------------------------------------------------- >>> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ >>> >>> ------------------------------------------------------------------------------------------------------------------------- >>> >>> *PROBLEM: * >>> >>> I can see the same sign triggered with the following: (alert 75 and >>> destination 0.0.0.0) >>> >>> *What is 0.0.0.0 is doing here? I never configured it on my custom >>> sig.and why alert level is 75 ? and on the above one is 85 ? my original >>> config is 75.* >>> >>> >>> evIdsAlert: eventId=1376465320547002493 vendor=Cisco severity=high >>> alarmTraits=32768 >>> originator: >>> hostId: IPS >>> appName: sensorApp >>> appInstanceId: 1203 >>> time: Nov 11, 2013 22:12:34 UTC offset=0 timeZone=UTC >>> signature: description=syslog id=61000 version=custom type=other >>> created=20000101 >>> subsigId: 0 >>> sigDetails: My Sig Info >>> interfaceGroup: vs0 >>> vlan: 3 >>> participants: >>> attacker: >>> addr: 7.7.3.10 locality=OUT >>> port: 0 >>> target: >>> addr: 0.0.0.0 locality=OUT >>> port: 0 >>> os: idSource=unknown type=unknown relevance=unknown >>> summary: 8 final=true initialAlert=1376465320547002492 >>> summaryType=Regular >>> alertDetails: Regular Summary: 8 events this interval ; >>> riskRatingValue: 75 targetValueRating=medium >>> threatRatingValue: 75 >>> interface: ge0_0 >>> protocol: udp >>> >>> >>> >>> >>> _______________________________________________ >>> Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: >>> >>> iPexpert on YouTube: www.youtube.com/ipexpertinc >>> >> >> >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
