Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2518
Views
0
Helpful
3
Replies

Tcp Hijack Attack on ips

szamin125
Level 1
Level 1

‎09-10-2011 04:26 AM - edited ‎03-10-2019 05:28 AM

Hi Guys,

our cisco ips is under tcp hijack attack the signature id is 3250 ..numbers of servers are targeted by this attack can any body tell me the proper metigation of this attack...

Regards

Sher

Labels:
0 Helpful
3 Replies 3

praprama
Cisco Employee
Cisco Employee

‎09-12-2011 09:20 AM

here are details of what this signature does:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3250&signatureSubId=0&softwareVersion=6.0&releaseVersion=S394

Can you post a sample alert for this signature here? feel free to modify any sensitive information (like IP addresses).

Regards,

Prapanch

0 Helpful

szamin125
Level 1
Level 1
In response to praprama

‎09-13-2011 12:41 AM

Dear Mr. Prapanch,

thanks for your Quick reply please check the logs of cisco IPS below...

signature:   description=TCP Hijack id=3250 version=S394 type=anomaly created=20010202

   subsigId: 0

   sigDetails: TCP Hijack

   marsCategory: Penetrate/HijackSession

interfaceGroup: vs0

vlan: 

participants:  

   attacker:  

     addr: 111.111.111.222 (suppose this is public outside address)locality=OUT

     port: 1063

   target:  

     addr: 10.1.1.1(suppose this is web server) locality=OUT

     port: 80

     os:   idSource=learned type=linux relevance=relevant

actions:  

   denyPacketRequestedNotPerformed: true

riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 100

Waiting for your reply

Regards

Sher

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to szamin125

‎09-13-2011 08:21 AM

Hi Sher,

We need to get captures to figure out what's going on here. Is it only between the above 2 IP's that you see this alert?

You  can enable "produce verbose alert" also in addition to the captures and  that way you should be able to figure out which is the offending packet  in the stream.

Thanks and Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card