<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: TCP segment Overwrite in Network Security</title>
    <link>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585970#M98564</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Very interesting I have also had to deal with a large number of TCP 1300 events and have never been able to filter out or determine that the offending device is a threat. So I would assume from this comment that to have the IDS act as a Proxy you would have to pass the traffic through the device or just how do you setup the sensor to be a proxy. If changing the configuration is required how does this affect other signatures.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Wed, 20 Sep 2006 15:05:41 GMT</pubDate>
    <dc:creator>p.mckay</dc:creator>
    <dc:date>2006-09-20T15:05:41Z</dc:date>
    <item>
      <title>TCP segment Overwrite</title>
      <link>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585968#M98561</link>
      <description>&lt;P&gt;Recently, I've been seeing a ton of messages on the IPS Event Viewer stating that TCP Segment Overwrites have been detected. The events are from either the IPS-A to our DMZ or vice versa.  It just started whenever we added some servers to the network.  Does anybody have any suggestions?  We traced the packets, it's not hacker related.  It seems like maybe a server or app. may be causing the issue.  The problem is isolating it.  I would appreciate any feedback you could provide.  Thanks! &lt;/P&gt;</description>
      <pubDate>Sun, 10 Mar 2019 09:59:09 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585968#M98561</guid>
      <dc:creator>mkotova</dc:creator>
      <dc:date>2019-03-10T09:59:09Z</dc:date>
    </item>
    <item>
      <title>Re: TCP segment Overwrite</title>
      <link>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585969#M98562</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;TCP normalization &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Through intentional or natural TCP session segmentation, some classes of attacks can be hidden. To make sure policy enforcement can occur with no false positives and false negatives, the state of the two TCP endpoints must be tracked and only the data that is actually processed by the real host endpoints should be passed on. Overlaps in a TCP stream can occur, but are extremely rare except for TCP segment retransmits. Overwrites in the TCP session should not occur. If overwrites do occur, someone is intentionally trying to elude the security policy or the TCP stack implementation is broken. Maintaining full information about the state of both endpoints is not possible unless the sensor acts as a TCP proxy. Instead of the sensor acting as a TCP proxy, the segments will be ordered properly and the normalizer will look for any abnormal packets associated with evasion and attacks. &lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf52e.html" target="_blank"&gt;http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a00804cf52e.html&lt;/A&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 26 Apr 2006 17:13:41 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585969#M98562</guid>
      <dc:creator>smahbub</dc:creator>
      <dc:date>2006-04-26T17:13:41Z</dc:date>
    </item>
    <item>
      <title>Re: TCP segment Overwrite</title>
      <link>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585970#M98564</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Very interesting I have also had to deal with a large number of TCP 1300 events and have never been able to filter out or determine that the offending device is a threat. So I would assume from this comment that to have the IDS act as a Proxy you would have to pass the traffic through the device or just how do you setup the sensor to be a proxy. If changing the configuration is required how does this affect other signatures.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Wed, 20 Sep 2006 15:05:41 GMT</pubDate>
      <guid>https://community.cisco.com/t5/network-security/tcp-segment-overwrite/m-p/585970#M98564</guid>
      <dc:creator>p.mckay</dc:creator>
      <dc:date>2006-09-20T15:05:41Z</dc:date>
    </item>
  </channel>
</rss>

