Why are my protect events coming in from 0.0.0.0?
Protect shows an IP of 0.0.0.0 for attacks that are triggered by one of Protect's "semantic" rules. These rules do not require input from a specific request but can be triggered by things we see happening within the code or if a file in the local file system is read. If that is the case, there will be no URL associated with the attack event.
Some rules that may show attacks from IP 0.0.0.0 are:
- Path Traversal: A file such as /etc/hosts is accessed
- Untrusted Deserialization: A file object is being deserialized from an input file, such as an XML source.
- SQL Injection
- Command Injection
To evaluate specific examples, please submit a ticket to our online support portal with details or a screenshot of the event details.