https://community.cisco.com/t5/network-security/zero-window-probe/m-p/1612311#M65785 <HTML><HEAD></HEAD><BODY><P>Hello Kiran,</P><P></P><P>The Modify Packet Inline action of signature 1317.0 removes data from the Zero-Window Probe packet.</P><P></P><P></P><P>RFCs 793/1122 allow no data, 1 byte of data, or even a complete data packet in the Zero-Window Probe.&nbsp; If the window opens while the packet is in transit, the receiving end can accept the data.Since the IPS has no way of knowing if the data will be accepted on the receiving end or not, it removes the data. The IPS forces the packet to be a legitimate zero window probe, and removes the possible ambiguity about what data has been processed. Zero window probes are not malicious. The signature exist as a way to control the normalizer behaviour.&nbsp; The behaviour is required so that the normalizer can maintain proper stream state.</P><P></P><P>Disabling this signature can cause the normalizer to false positive in the following scenario:</P><P></P><P>Client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Server</P><P>------------------Syn&gt;</P><P><SYN-ACK----------></SYN-ACK----------></P><P>-------------------ACK&gt;</P><P><DATA-----------------></DATA-----------------></P><P>---------ZeroWindow&gt;</P><P>---------ZeroWindow&gt;</P><P><ZEROWINDOWPROBEWITH1500BYTEDATA------></ZEROWINDOWPROBEWITH1500BYTEDATA------></P><P></P><P>If the receiver window opens while the above ZWP packet is in flight, the client will accept the packet, Normalizer will have ignored it, and the normalizer is then out of sync with the stream. The Normalizer will then start producing false alarms.</P><P></P><P>If signature 1317.0 is enabled, all of the data will be stripped out of the ZeroWindowProbe and there is no potential ambiguity.</P><P></P><P></P><P></P><P>Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.</P><P></P><P>Thank you,</P><P>Blayne Dreier</P><P>Cisco TAC Escalation Team</P><P></P><P>**Please check out our Podcasts**</P><P><SPAN>TAC Security Show: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/go/tacsecuritypodcast">http://www.cisco.com/go/tacsecuritypodcast</A></P><P><SPAN>TAC IPS Media Series: </SPAN><A class="jive-link-community-small" href="https://community.cisco.com/community/netpro/security/intrusion-prevention">https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&amp;tags=tac_ips_media_series</A></P><P></P></BODY></HTML> Thu, 27 Jan 2011 23:01:35 GMT Christopher Dreier 2011-01-27T23:01:35Z https://community.cisco.com/t5/network-security/zero-window-probe/m-p/1612310#M65784 <P>Hi All,</P><P></P><P>I have observed Zero Windows Probe events and its default action says "Modify Packet" . Please let me know what will be exact action taken by IPS as i need to thoroughly understand it. Please guide me.</P><P></P><P></P><P>Regards</P><P>Kiran</P> Sun, 10 Mar 2019 12:14:38 GMT https://community.cisco.com/t5/network-security/zero-window-probe/m-p/1612310#M65784 kiran.raj1 2019-03-10T12:14:38Z https://community.cisco.com/t5/network-security/zero-window-probe/m-p/1612311#M65785 <HTML><HEAD></HEAD><BODY><P>Hello Kiran,</P><P></P><P>The Modify Packet Inline action of signature 1317.0 removes data from the Zero-Window Probe packet.</P><P></P><P></P><P>RFCs 793/1122 allow no data, 1 byte of data, or even a complete data packet in the Zero-Window Probe.&nbsp; If the window opens while the packet is in transit, the receiving end can accept the data.Since the IPS has no way of knowing if the data will be accepted on the receiving end or not, it removes the data. The IPS forces the packet to be a legitimate zero window probe, and removes the possible ambiguity about what data has been processed. Zero window probes are not malicious. The signature exist as a way to control the normalizer behaviour.&nbsp; The behaviour is required so that the normalizer can maintain proper stream state.</P><P></P><P>Disabling this signature can cause the normalizer to false positive in the following scenario:</P><P></P><P>Client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Server</P><P>------------------Syn&gt;</P><P><SYN-ACK----------></SYN-ACK----------></P><P>-------------------ACK&gt;</P><P><DATA-----------------></DATA-----------------></P><P>---------ZeroWindow&gt;</P><P>---------ZeroWindow&gt;</P><P><ZEROWINDOWPROBEWITH1500BYTEDATA------></ZEROWINDOWPROBEWITH1500BYTEDATA------></P><P></P><P>If the receiver window opens while the above ZWP packet is in flight, the client will accept the packet, Normalizer will have ignored it, and the normalizer is then out of sync with the stream. The Normalizer will then start producing false alarms.</P><P></P><P>If signature 1317.0 is enabled, all of the data will be stripped out of the ZeroWindowProbe and there is no potential ambiguity.</P><P></P><P></P><P></P><P>Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.</P><P></P><P>Thank you,</P><P>Blayne Dreier</P><P>Cisco TAC Escalation Team</P><P></P><P>**Please check out our Podcasts**</P><P><SPAN>TAC Security Show: </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/go/tacsecuritypodcast">http://www.cisco.com/go/tacsecuritypodcast</A></P><P><SPAN>TAC IPS Media Series: </SPAN><A class="jive-link-community-small" href="https://community.cisco.com/community/netpro/security/intrusion-prevention">https://supportforums.cisco.com/community/netpro/security/intrusion-prevention?view=tags&amp;tags=tac_ips_media_series</A></P><P></P></BODY></HTML> Thu, 27 Jan 2011 23:01:35 GMT https://community.cisco.com/t5/network-security/zero-window-probe/m-p/1612311#M65785 Christopher Dreier 2011-01-27T23:01:35Z