Showing results for 
Search instead for 
Did you mean: 

Problem with S182 Signature


I applied IPS-sig-S182-minreq-5.0-1.pkg to my IDS/IPS 4215 with an inline interface pair. Immediately, I began receiving phone calls from users complaining that https sessions with outside app servers were extremely slow. I also noticed that one telnet application stopped working. I did not suspect the IPS, since there were not any event logs about the https or telnet activity. After putting the inline interface into bypass mode, the problems immediately stopped. Downgrading the update back to S181 had the same effect; traffic was normal again. Has anyone else had similar problems with this signature?

6 Replies 6

Cisco Employee
Cisco Employee

Do you have any alerts from signature 3409? This signature went out in S182 and detects telnet sessions over webports but it does not block by default. Could you provide the output of “show statistic virtual-sensor” so we can see if any signature is firing abnormally (or if the sensor is seeing malformed traffic)?

No alerts from 3409. Here's the output from S181. I can upgrade to S182 and get the "show statistics virtual-sensor" as well.

If you could provide the virtual-sensor statistics while (or after) the problem is occurring it would be extremely helpful. The output of "show event status past 00:10:00" may also contain useful information.

I will upgrade the sensor to S182 and have my users try to connect to their telnet and https apps. I should have something to post tomorrow (8/9/2005).

I applied S182 last night and first thing this morning, my users were having problems with https apps and telnet applications that do not use port 23. I've attached an event log and a show stats output.

The only signatures that may be related to this problem are:

1330 - TCP Drop - Bad Checksum: TCP Packet with bad checksum (set to auto drop packet)

1308 - TTL evasion: IP TTL on a TCP session varies (set to modify packet inline)

Signature 1330 is set to automatically drop tcp packets with bad checksums. This signature has existed since S149 and its alerts are found in your S181 attachment. You may want to check the ip addresses of these alerts to identify the device creating the malformed packets your network. Until you have been able to correct the problem you can set the default action of this signature to produce alert to prevent it from dropping packets.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers