https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733370#M56122 <P>Hi, We are getting quite a lot of these alerts and I can't find any info. on the internet.&nbsp; Can anyone shed any light on it..&nbsp; There are hundreds of these alerts and most of the time the IP adresses are different.&nbsp; As far as I can see most of the time the attacker ip address has been from inside address range.&nbsp; Thanks. Regards </P><P></P><P>evIdsAlert: eventId=1277786506114716833&nbsp; vendor=Cisco&nbsp; severity=high&nbsp; </P><P></P><P>&nbsp; originator:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; hostId: abcips1&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; appName: sensorApp&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; appInstanceId: 414&nbsp; </P><P></P><P>&nbsp; time: Oct 06, 2011 05:26:59 UTC&nbsp; offset=0&nbsp; timeZone=GMT00:00&nbsp; </P><P></P><P>&nbsp; signature:&nbsp;&nbsp; description=TCP Window Variation&nbsp; id=1307&nbsp; version=S212&nbsp; type=anomaly&nbsp; created=20030801&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; subsigId: 0&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; sigDetails: TCP Window varied in a suspect way&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; marsCategory: Info/Misc&nbsp; </P><P></P><P>&nbsp; interfaceGroup: vs0&nbsp; </P><P></P><P>&nbsp; vlan: 0&nbsp; </P><P></P><P>&nbsp; participants:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; attacker:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; addr: x.x.x.x&nbsp; locality=OUT&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port: 39825&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; target:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; addr: x.x.x.x&nbsp; locality=OUT&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port: 5667&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; os:&nbsp;&nbsp; idSource=learned&nbsp; type=linux&nbsp; relevance=relevant&nbsp; </P><P></P><P>&nbsp; riskRatingValue: 100&nbsp; targetValueRating=medium&nbsp; attackRelevanceRating=relevant&nbsp; </P><P></P><P>&nbsp; threatRatingValue: 100&nbsp; </P><P></P><P>&nbsp; interface: ge0_1&nbsp; </P><P></P><P>&nbsp; protocol: tcp&nbsp; </P> Sun, 10 Mar 2019 12:30:13 GMT desaijaimin 2019-03-10T12:30:13Z https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733370#M56122 <P>Hi, We are getting quite a lot of these alerts and I can't find any info. on the internet.&nbsp; Can anyone shed any light on it..&nbsp; There are hundreds of these alerts and most of the time the IP adresses are different.&nbsp; As far as I can see most of the time the attacker ip address has been from inside address range.&nbsp; Thanks. Regards </P><P></P><P>evIdsAlert: eventId=1277786506114716833&nbsp; vendor=Cisco&nbsp; severity=high&nbsp; </P><P></P><P>&nbsp; originator:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; hostId: abcips1&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; appName: sensorApp&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; appInstanceId: 414&nbsp; </P><P></P><P>&nbsp; time: Oct 06, 2011 05:26:59 UTC&nbsp; offset=0&nbsp; timeZone=GMT00:00&nbsp; </P><P></P><P>&nbsp; signature:&nbsp;&nbsp; description=TCP Window Variation&nbsp; id=1307&nbsp; version=S212&nbsp; type=anomaly&nbsp; created=20030801&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; subsigId: 0&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; sigDetails: TCP Window varied in a suspect way&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; marsCategory: Info/Misc&nbsp; </P><P></P><P>&nbsp; interfaceGroup: vs0&nbsp; </P><P></P><P>&nbsp; vlan: 0&nbsp; </P><P></P><P>&nbsp; participants:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; attacker:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; addr: x.x.x.x&nbsp; locality=OUT&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port: 39825&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp; target:&nbsp;&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; addr: x.x.x.x&nbsp; locality=OUT&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; port: 5667&nbsp; </P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; os:&nbsp;&nbsp; idSource=learned&nbsp; type=linux&nbsp; relevance=relevant&nbsp; </P><P></P><P>&nbsp; riskRatingValue: 100&nbsp; targetValueRating=medium&nbsp; attackRelevanceRating=relevant&nbsp; </P><P></P><P>&nbsp; threatRatingValue: 100&nbsp; </P><P></P><P>&nbsp; interface: ge0_1&nbsp; </P><P></P><P>&nbsp; protocol: tcp&nbsp; </P> Sun, 10 Mar 2019 12:30:13 GMT https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733370#M56122 desaijaimin 2019-03-10T12:30:13Z https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733371#M56125 <HTML><HEAD></HEAD><BODY><P> <A href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1307">http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1307</A></P><P></P><P>You might have some kind of device (proxy or firewall, possibly) that is manipulating the size of the TCP window.</P></BODY></HTML> Thu, 06 Oct 2011 17:59:15 GMT https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733371#M56125 mark.barrett 2011-10-06T17:59:15Z https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733372#M56129 <HTML><HEAD></HEAD><BODY><P>Thanks Mark. We do have an ASA as well as proxy (threat management gateway). I did see link that you posted before I posted my question but its not very clear from the article what can be done to resolve the problem.&nbsp; It says "incorrectly configured" but in what way? It would have been nice if it gave us the possible solutions?&nbsp; or what to check?&nbsp; Thanks. Regards</P></BODY></HTML> Fri, 07 Oct 2011 08:10:21 GMT https://community.cisco.com/t5/network-security/tcp-window-variation-id-1307/m-p/1733372#M56129 desaijaimin 2011-10-07T08:10:21Z