no, but all traffic from the subnets that the issue is on are specifically excluded from the IPS signature list with custom signatures. ( its an issue that requires a lowerd MTU to fix, but causes fragmenting at certain times )

Will the IPS modules STILL fire even on traffic excluded if the signatures match the traffic? How is the traffic to be excluded other than retiring the whole signature?

Cheers

D

From a colleague,

The only way to prevent these two sigs (1204 and 1208) from firing is to retire them and then reset the sensor.  Disabling them will only stop alerting, and they will continue to deny packets (this is part of the normalizer’s design).  I don’t think a custom sig will work because the normalizer sigs will be processed before the custom sigs.

Sig 1204 is ‘IP Fragment Missing Initial Fragment’

And 1208 is ‘IP Fragment Incomplete Datagram’

There’s not much we can do with sig 1204.  If the initial fragment is missing, we can’t do reassembly.

However, with sig 1208, we can adjust the timeout, which defaults to 60 seconds.  Sixty seconds should be plenty of time though.   It can be increased to up to 360 seconds by modifying fragment-reassembly-timeout. 

Are the dropped frags causing network issues?