Event ID          1363209060027941200

Severity          high

Host ID          XXXX-IPS

Application Name          sensorApp

Event Time          04/03/2013 16:56:55

Sensor Local Time          04/03/2013 11:26:55

Signature ID          3250

Signature Sub-ID          0

Signature Name          TCP Hijack

Signature Version          S667

Signature Details          TCP Hijack

Interface Group          vs0

VLAN ID          20

Interface          ge0_0

Attacker IP          AAAA

Protocol          tcp

Attacker Port          61952

Attacker Locality          OUT

Target IP          BBBB

Target Port          80

Target Locality          OUT

Target OS          unknown unknown (relevant)

Actions          ipLoggingActivated+denyPacketRequestedNotPerformed+logAttackerPacketsActivated+logVictimPacketsActivated

Risk Rating          TVR=medium ARR=relevant

Risk Rating Value          100

Threat Rating          100

Reputation

Context Data

Packet Data          Ether: ---- Ethernet2 OSI=2 Frame #1 Captured on 2013-04-03 16:56:55.962 ----

Ether:

Ether:   dst =  0:0:c:7:ac:5

Ether:   src =  0:13:c4:4e:2d:bf

Ether: proto =  0x8100 "(VLAN) IEEE 802.1q"

Ether:

VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----

VLAN:

VLAN: flags = 0000000000010100 20

VLAN:         000............. 0x0 = [priority]

VLAN:         ...0............ 0x0 = [cfi]

VLAN:         ....000000010100 20 = [id]

VLAN:  type =  0x800 "(IP) Internet protocol (v4 or v6)"

VLAN:

IPv4: ---- IPv4 RFC=791 OSI=3 ----

IPv4:

IPv4:      ver =  4 "Internet Protocol version 4"

IPv4:     hlen =  5 (20 bytes) "No IP options present"

IPv4:      tos = 00000000 0x0

IPv4:            000..... 0x0 = [precedence] "Routine"

IPv4:            ...0.... 0x0 = [delay] "Normal delay"

IPv4:            ....0... 0x0 = [throughput] "Normal throughput"

IPv4:            .....0.. 0x0 = [reliability] "Normal reliability"

IPv4:            ......00 0x0 = [reserved]

IPv4:      len =  52 (32 bytes of data)

IPv4:       id =  0x6c1

IPv4:    flags = 010 0x2 (bit fields)

IPv4:            0.. 0x0 = [reserved]

IPv4:            .1. 0x1 = [df] "Do not fragment"

IPv4:            ..0 0x0 = [mf] "no more fragments"

IPv4:   offset =  0 (0 bytes)

IPv4:      ttl =  127 (hops)

IPv4: protocol =  6 "(TCP) Transmition Control Protocol (RFC793)"

IPv4: checksum =  0x40ff

IPv4:    saddr =  AAAA

IPv4:    daddr =  BBBB

IPv4:

TCP: ---- TCP RFC=793 OSI=4 ----

TCP:

TCP: sport =  61952

TCP: dport =  80

TCP:   seq =  2512247734

TCP:   ack =  2410330435

TCP:  hlen =  8 (32 bytes)

TCP:   res =  0

TCP:  code = 010000 0x10

TCP:         0..... 0x0 = [urg]

TCP:         .1.... 0x1 = [ack] "Acknowledgement Field Significant"

TCP:         ..0... 0x0 = [psh]

TCP:         ...0.. 0x0 = [rst]

TCP:         ....0. 0x0 = [syn]

TCP:         .....0 0x0 = [fin]

TCP:   win =  65205 (bytes)

TCP:   crc =  0xb0d2 (CRC-16)

TCP:   urg =  0 (byte offset)

TCP:

TCP: Options: (12 bytes)

TCP:   Opt #1: NOP(1) skipped 1 byte

TCP:   Opt #2: NOP(1) skipped 1 byte

TCP:   Opt #3: SACK Option(5) contains 0 blocks

TCP:

Data: 0000  8f aa be a7 8f ab 8b 7f               ........

Data:

Event Summary          0

Initial Alert

Summary Type

Final Alert

Event Status          New

Event Notes

We got an alert like this. But struggling to find out whether its malignant traffic. Any help would be deeply appreciated