Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
0
Helpful
3
Replies

ID 1300 TCP Segment Overwrite

p.mckay
Level 1
Level 1

‎03-28-2005 10:39 AM - edited ‎03-10-2019 01:21 AM

I keep seeing the Sig ID 1300 TCP Segment Overwrite between two hosts. This is normal traffic and I have no reason to suspect the machines as having to been compromised or misused. I was wondering if anyone has had the experience of seeing this signature fire for normal traffic. Can this be a programming error caused by our in house programmers writing custom applications?

Labels:
0 Helpful
3 Replies 3

gabelar
Level 1
Level 1

‎03-28-2005 11:34 AM

Personally, I error on the side of suspicion. I would recommend investigating this further. This signature is somewhat suspicious in that segmentation overwriting is something hackers use to try to bypass IPS. Is the destination address always the same, if you are always getting the error from the same source to the same destination that could be a bad sign….?

I would suspect that it's not a program error because, most programmers will just send their data to a socket and the underlying network code will set up windowing and segmentation. In this case most socket code is pretty tried and true.

Is this data coming from a VPN segment? It could be an MTU issue. Could be a network device behaving badly between your source and destination, if this is happening it should be true for more then just one host.

Don’t forget you can use your reporting tool and turn on verbose reporting when ever the alert is generated or to assist in forensics you can turn on reporting of all packets between a specific host or destination….

0 Helpful

scothrel
Level 3
Level 3

‎03-28-2005 11:41 AM

If your applications write raw TCP packets onto the wire, then it is a possibility. Otherwise, a badly implemented stack somewhere in the datapath can be a culprit. If you're willing to send us a traffic sample, we'll check it out for you.

Scott

scothrel@cisco.com

0 Helpful

p.mckay
Level 1
Level 1
In response to scothrel

‎03-29-2005 12:07 PM

I talked to the programmer responsible for the majority of the traffic to suspected server. Our programmer’s create their own ftp client which is in C sharp. This is more or less just opening a socket connection to a server on a standard ftp port and then they just use the standard ftp commands to the server. The data flows through this connection. They do close the socket connection. They try to close the socket or try to clean up the connection in the event of a recovery or failure or in just normal transactions. Something like that. I will contact you about sending a data sample.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card