cancel
Showing results for 
Search instead for 
Did you mean: 
landreoli
Level 9

When a destination ip is not a correct ip address...

Hi,

someone happened to have in the events of siem for example in a destination ip like this :: (two points repeayed two times)?

In this case, what you did to it? how you can exclude them from the correlation rules?

Thank you

Luca

0 Kudos
15 Replies
priyal.dhole
Level 7

Re: When a destination ip is not a correct ip address...

Hi,

This is any parsing issue? if yes how to resolve this issue?

0 Kudos
xded
Level 12

Re: When a destination ip is not a correct ip address...

hi,

this happens if one src_Ip connectet to more than one dest_ip than the Receiver will aggregate this Events as one Event. You can configure your Aggregation Settings on the properties on the Receiver.

0 Kudos
priyal.dhole
Level 7

Re: When a destination ip is not a correct ip address...

Hi

is it possible to explain me in details like

what type of configuration?

0 Kudos
arnieos
Level 7

Re: When a destination ip is not a correct ip address...

I do not think aggregation will aggregate events with more than one destination IP. Remember the default fields for aggregation are Signature ID, Source IP and Destination IP. It will only aggregate events that will match the 3 fields. I'm wondering if destination IP with :: only means that it is the same with the source IP, just a guess. I'm still trying to find out what it really means.

0 Kudos
yd9038
Level 9

Re: When a destination ip is not a correct ip address...

Here's what the Product Guide says about "::"

The source IP and destination IP address "not-set" values or aggregated values appear as "::" instead of as "0.0.0.0" in all result sets.

For example:

• ::ffff:10.0.12.7 is inserted as 0:0:0:0:0:FFFF:A00:C07 (A00:C07 is 10.0.12.7)

• ::0000:10.0.12.7 would be 10.0.12.7

0 Kudos
landreoli
Level 9

Re: When a destination ip is not a correct ip address...

Hi,

I do not know how to fix/resolve, for example, in an event where the destination ip is "::" if i  going to see the log from the data soure (in this case are asa cisco) :

Deny tcp src outside:1.1.1.1/58108 dst DMZ-webfarm:Vpn-test-pubblico/23 by access-group "OutsideTotheDMZ-WebFarm-123"

How can traslate the "::" in a correct ip address?

Thank you

Luca

0 Kudos
yd9038
Level 9

Re: When a destination ip is not a correct ip address...

Luca,

Is this the entire packet?

Deny tcp src outside:1.1.1.1/58108 dst DMZ-webfarm:Vpn-test-pubblico/23 by access-group "OutsideTotheDMZ-WebFarm-123"

If not, can you please provide the entire packet data?

And please provide the Signature ID of the event as well.

Also, the text in bold, are they real IP addresses that you just typed in text instead in the log?

Basically, if there isn't an IP address for destination in the raw event packet, then there is nothing for SIEM receiver to parse to Destination IP field, and the ESM will just display that as ::.

0 Kudos
landreoli
Level 9

Re: When a destination ip is not a correct ip address...

Hi,

it is the complete package without the data source tag/vendor...

Below there are details of such reporting with signature id.

text in bold, are they real IP addresses that I just typed in text instead in the log.

Any suggestions? Because i have a lot of destiantion ip like "::"

Thanks

0 Kudos
yd9038
Level 9

Re: When a destination ip is not a correct ip address...

If the destination IP is in the event packet, and it isn't shown in ESM, it's then a parser issue. If you send the packet data to me, I can take a look at the parser for you.

0 Kudos