topic TCP-Hijack - triggers continuously in Network Security

TCP-Hijack - triggers continuously

jodamus112 — Sun, 10 Mar 2019 13:08:22 GMT

Hi,

I have an IPS4270 appliance (IPS4270-20-K9) in IDS mode. I am getting continuous triggers on the TCP Hijack signature and the attacker is always the proxy server. with the target of various external addresses and 1 specific internal address hosting web services (ports 80 & 443).

evIdsAlert: eventId=6822622857377 vendor=Cisco severity=high alarmTraits=2147516416
originator:
    hostId: PETROSA-PRW-IPS4270-IPS1
    appName: sensorApp
    appInstanceId: 1492
time: Feb 07, 2014 12:33:17 UTC offset=120 timeZone=GMT+02:00
signature:   description=TCP Hijack id=3250 version=S739 type=anomaly created=20010202
    subsigId: 0
    sigDetails: TCP Hijack
interfaceGroup: ServerVlan
vlan: 3
participants:
    attacker:
      addr: 10.0.2.111 locality=OUT
      port: 65077
    target:
      addr: 198.72.112.12 locality=OUT
      port: 80
      os:   idSource=unknown type=unknown relevance=relevant
actions:
    snmpTrapRequested: true
triggerPacket:
000000 00 16 35 C2 39 87 00 24 14 BF 2E C0 81 00 A0 03 ..5.9..$........
000010 08 00 45 00 00 28 58 4A 40 00 7F 06 60 C2 0A 00 ..E..(XJ@...`...
000020 02 6F C6 48 70 0C FE 35 00 50 8C DB EE A7 B9 AF .o.Hp..5.P......
000030 CC 0E 50 10 80 52 EC F6 00 00 00 00 00 00 00 00 ..P..R..........

riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 100
interface: ge3_0
protocol: tcp

is this a false positive as it is triggering way too often and especially with it stating the proxy server as the attacker.

Thanks.

TCP-Hijack - triggers continuously

Mizanul Islam — Fri, 07 Feb 2014 13:51:15 GMT

Hi Jodamus112,

I suggest to you please do somethings for your network security (Configure IPS in Inline mode), Attacker attack to your web server from external site. Also make sure the webserver Antivirus working properly.

Regrads

Parosh

Re: TCP-Hijack - triggers continuously

jodamus112 — Fri, 07 Feb 2014 16:23:07 GMT

Hi Parosh,

Thanks for the feedback. Are you requesting that I test the IPS inline between Proxy server and external site. Or are you saying I must deploy like that permanently.

Currently our proxy server is on our Local LAN, in a Server VLAN, and we are spanning the VLAN to the IPS port to detect the complete server VLAN. So won't be able to deploy inline and might be an issue to do this just for test purposes as it will not replicate the existing and current environment.

Thanks
Julian
Sent from Cisco Technical Support iPad App