https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780091#M56299 <P><STRONG>Hi Guys,</STRONG></P><P></P><P><STRONG>our cisco ips is under tcp hijack attack the signature id is 3250 ..numbers of servers are targeted by this attack can any body tell me the proper metigation of this attack...</STRONG></P><P></P><P></P><P><STRONG>Regards</STRONG></P><P><STRONG>Sher</STRONG></P> Sun, 10 Mar 2019 12:28:20 GMT szamin125 2019-03-10T12:28:20Z https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780091#M56299 <P><STRONG>Hi Guys,</STRONG></P><P></P><P><STRONG>our cisco ips is under tcp hijack attack the signature id is 3250 ..numbers of servers are targeted by this attack can any body tell me the proper metigation of this attack...</STRONG></P><P></P><P></P><P><STRONG>Regards</STRONG></P><P><STRONG>Sher</STRONG></P> Sun, 10 Mar 2019 12:28:20 GMT https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780091#M56299 szamin125 2019-03-10T12:28:20Z https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780092#M56301 <HTML><HEAD></HEAD><BODY><P>here are details of what this signature does:</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&amp;signatureSubId=0&amp;softwareVersion=6.0&amp;releaseVersion=S394">http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&amp;signatureSubId=0&amp;softwareVersion=6.0&amp;releaseVersion=S394</A></P><P></P><P>Can you post a sample alert for this signature here? feel free to modify any sensitive information (like IP addresses).</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Mon, 12 Sep 2011 16:20:34 GMT https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780092#M56301 praprama 2011-09-12T16:20:34Z https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780093#M56303 <HTML><HEAD></HEAD><BODY><P><STRONG>Dear Mr. Prapanch,</STRONG></P><P></P><P><STRONG>thanks for your Quick reply please check the logs of cisco IPS below...</STRONG></P><P><STRONG> </STRONG></P><DIV style="border-bottom: windowtext 2.25pt double; border-left: medium none; padding-bottom: 1pt; padding-left: 0cm; padding-right: 0cm; border-top: medium none; border-right: medium none; padding-top: 0cm;"><P style="padding: 0cm;"><STRONG>signature:&nbsp;&nbsp; description=TCP Hijack id=3250 version=S394 type=anomaly created=20010202 </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; subsigId: 0 </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; sigDetails: TCP Hijack </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; marsCategory: Penetrate/HijackSession </STRONG></P><P style="padding: 0cm;"><STRONG>interfaceGroup: vs0 </STRONG></P><P style="padding: 0cm;"><STRONG>vlan:&nbsp; </STRONG></P><P style="padding: 0cm;"><STRONG>participants:&nbsp;&nbsp; </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; attacker:&nbsp;&nbsp; </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; addr: 111.111.111.222 (suppose this is public outside address)locality=OUT </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; port: 1063 </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; target:&nbsp;&nbsp; </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; addr: 10.1.1.1(suppose this is web server) locality=OUT </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; port: 80 </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; os:&nbsp;&nbsp; idSource=learned type=linux relevance=relevant </STRONG></P><P style="padding: 0cm;"><STRONG>actions:&nbsp;&nbsp; </STRONG></P><P style="padding: 0cm;"><STRONG>&nbsp;&nbsp; denyPacketRequestedNotPerformed: true </STRONG></P><P style="padding: 0cm;"><STRONG>riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant </STRONG></P><P style="padding: 0cm;"><STRONG>threatRatingValue: 100 </STRONG></P></DIV><P></P><P><STRONG>Waiting for your reply</STRONG></P><P><STRONG>Regards</STRONG></P><P><STRONG>Sher</STRONG></P></BODY></HTML> Tue, 13 Sep 2011 07:41:47 GMT https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780093#M56303 szamin125 2011-09-13T07:41:47Z https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780094#M56306 <HTML><HEAD></HEAD><BODY><P>Hi Sher,</P><P></P><P>We need to get captures to figure out what's going on here. Is it only between the above 2 IP's that you see this alert?</P><P></P><P>You&nbsp; can enable "produce verbose alert" also in addition to the captures and&nbsp; that way you should be able to figure out which is the offending packet&nbsp; in the stream.</P><P></P><P>Thanks and Regards,</P><P>Prapanch</P></BODY></HTML> Tue, 13 Sep 2011 15:21:48 GMT https://community.cisco.com/t5/network-security/tcp-hijack-attack-on-ips/m-p/1780094#M56306 praprama 2011-09-13T15:21:48Z