topic TCP Window Variation Sig fires repeatedly in Network Security

TCP Window Variation Sig fires repeatedly

jms112080 — Sun, 10 Mar 2019 11:45:36 GMT

Sig 1307/0 TCP Window Variation is constantly firing on my IPS. The explanation mentions that some "improperly implemented" firewalls can cause this signature to fire. I have an ASA 5520 between my users and the internet and all internet traffic is NATed. It fires on normal web traffic to known good sites as well as traffic between sites coming in over IPSEC VPN, which is exempted from NAT. Any ideas on what may be causing this?

Re: TCP Window Variation Sig fires repeatedly

smalkeric — Tue, 15 Sep 2009 12:50:37 GMT

This signature Sig 1307/0 will fire when the TCP window varies in a suspect manner. The right edge of the recieve window for TCP decreases. The TCP RFCs state that this should not occur.

This signature will NOT function in promiscuous mode.

Some incorrectly implemented proxies or network address translation firewalls could modify the window can cause this signature to fire.