https://community.cisco.com/t5/network-security/ids-and-two-switches/m-p/644208#M92417 <P>I have an IDS "listening in" on two switches. Problems begin when a host connected to switch1 talks to another host connected to switch2. Apparently I can see the packets twice (the only difference is TTL decreased by one). To make it more interesting SigID:1300-0 Sig:TCP Segment Overwrite starts firing. </P><P>Any suggestions greatly appreciated.</P><P></P><P>-A</P><P></P> Sun, 10 Mar 2019 10:13:04 GMT apolkosnik 2019-03-10T10:13:04Z https://community.cisco.com/t5/network-security/ids-and-two-switches/m-p/644208#M92417 <P>I have an IDS "listening in" on two switches. Problems begin when a host connected to switch1 talks to another host connected to switch2. Apparently I can see the packets twice (the only difference is TTL decreased by one). To make it more interesting SigID:1300-0 Sig:TCP Segment Overwrite starts firing. </P><P>Any suggestions greatly appreciated.</P><P></P><P>-A</P><P></P> Sun, 10 Mar 2019 10:13:04 GMT https://community.cisco.com/t5/network-security/ids-and-two-switches/m-p/644208#M92417 apolkosnik 2019-03-10T10:13:04Z https://community.cisco.com/t5/network-security/ids-and-two-switches/m-p/644209#M92418 <HTML><HEAD></HEAD><BODY><P>This signature 1300 will only fire when the data in the stream is attempting to be overwritten with different data than what was previously seen at that sequence offset. The issue is due to Networking stacks based on BSD4.2 implementations might use a older method of sending TCP keepalives. The IDS flags this as a TCP overwrite and fires signature 1300. The resolution is to Upgrade to sensor v5.0 where this trigger will not cause an alarm to fire.</P></BODY></HTML> Mon, 18 Sep 2006 19:04:05 GMT https://community.cisco.com/t5/network-security/ids-and-two-switches/m-p/644209#M92418 vmoopeung 2006-09-18T19:04:05Z