03-28-2005 10:39 AM - edited 03-10-2019 01:21 AM
I keep seeing the Sig ID 1300 TCP Segment Overwrite between two hosts. This is normal traffic and I have no reason to suspect the machines as having to been compromised or misused. I was wondering if anyone has had the experience of seeing this signature fire for normal traffic. Can this be a programming error caused by our in house programmers writing custom applications?
03-28-2005 11:34 AM
Personally, I error on the side of suspicion. I would recommend investigating this further. This signature is somewhat suspicious in that segmentation overwriting is something hackers use to try to bypass IPS. Is the destination address always the same, if you are always getting the error from the same source to the same destination that could be a bad sign .?
I would suspect that it's not a program error because, most programmers will just send their data to a socket and the underlying network code will set up windowing and segmentation. In this case most socket code is pretty tried and true.
Is this data coming from a VPN segment? It could be an MTU issue. Could be a network device behaving badly between your source and destination, if this is happening it should be true for more then just one host.
Dont forget you can use your reporting tool and turn on verbose reporting when ever the alert is generated or to assist in forensics you can turn on reporting of all packets between a specific host or destination .
03-28-2005 11:41 AM
If your applications write raw TCP packets onto the wire, then it is a possibility. Otherwise, a badly implemented stack somewhere in the datapath can be a culprit. If you're willing to send us a traffic sample, we'll check it out for you.
Scott
03-29-2005 12:07 PM
I talked to the programmer responsible for the majority of the traffic to suspected server. Our programmers create their own ftp client which is in C sharp. This is more or less just opening a socket connection to a server on a standard ftp port and then they just use the standard ftp commands to the server. The data flows through this connection. They do close the socket connection. They try to close the socket or try to clean up the connection in the event of a recovery or failure or in just normal transactions. Something like that. I will contact you about sending a data sample.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide