09-10-2011 04:26 AM - edited 03-10-2019 05:28 AM
Hi Guys,
our cisco ips is under tcp hijack attack the signature id is 3250 ..numbers of servers are targeted by this attack can any body tell me the proper metigation of this attack...
Regards
Sher
09-12-2011 09:20 AM
here are details of what this signature does:
Can you post a sample alert for this signature here? feel free to modify any sensitive information (like IP addresses).
Regards,
Prapanch
09-13-2011 12:41 AM
Dear Mr. Prapanch,
thanks for your Quick reply please check the logs of cisco IPS below...
signature: description=TCP Hijack id=3250 version=S394 type=anomaly created=20010202
subsigId: 0
sigDetails: TCP Hijack
marsCategory: Penetrate/HijackSession
interfaceGroup: vs0
vlan:
participants:
attacker:
addr: 111.111.111.222 (suppose this is public outside address)locality=OUT
port: 1063
target:
addr: 10.1.1.1(suppose this is web server) locality=OUT
port: 80
os: idSource=learned type=linux relevance=relevant
actions:
denyPacketRequestedNotPerformed: true
riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 100
Waiting for your reply
Regards
Sher
09-13-2011 08:21 AM
Hi Sher,
We need to get captures to figure out what's going on here. Is it only between the above 2 IP's that you see this alert?
You can enable "produce verbose alert" also in addition to the captures and that way you should be able to figure out which is the offending packet in the stream.
Thanks and Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide