In some circumstances, log entries from ISG/IDP devices can appear in NSM with destination address of 0.0.0.0. (This is true of IDP enabled SRX as well.)
In NSM, the default setting for log suppression is shown below. Notice the checkbox "Include Destination IPs When Performing Log Suppression" is unchecked by default.
ISG/IDP devices which enable log suppression will suppress the attack log according to five keys:
source-ip
destination-ip
attack-id
rule-id
vsys-id
When the checkbox is unchecked as it is above, the destination field of an attack log will be set zero to make more logs suppressed. This process happens on the IDP module, so when NSM receives the log, there is no destination address, thus 0.0.0.0 is displayed.
When the checkbox is checked, the destination field will be kept. (The device must be updated from NSM after the checkbox value is changed.)
NOTE: When talking about log suppression in this case, it refers to the sending of multiple logs on the same event. By default, log suppression is enabled without including the destination IP. This is simply done to reduce the amount of logs coming from the IDP in regards to the same event. It is also important to note that the first instance of any new event requiring a log entry is always sent. However, if an event would trigger several logs (i.e. 13 logs or more) the IDP suppresses from sending the duplicates. The same is true for any minor change in an event. For example, in a DDOS attack, the source address is likely to change frequently; for each change of source, we would indeed send a log.