05-09-2006 05:49 AM - edited 03-10-2019 03:00 AM
Hello,
Is there any news as to when the bug with the TCP Hijack signatures will be fixed?
According to forum posts from March, the bug CSCsd00877 in TCP Hijack signatures (3250,3251)is being addressed by Cisco.
I'm having the exact same problem (except for the Segment Overwrites) as Vasanth.
Any news would be greatly appreciated.
Regards,
David
-------------------------------------
Replied by: yvasanthk - Mar 28, 2006, 4:32am PST
Hi,
I have an IDSM2 running IPS5.1(1) S222.0 upgraded recently from 4.x.
My network has windows desktops, spanned on multiple VLANs. Cisco 6500 FWSM module routes between these VLANs and is the default gateway for each of these desktop VLANs.
Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..There is no pattern. All traffic that crosses my firewall module is being marked as "TCP Segment Overwrite" or "TCP Hijack"
It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this traffic as malicious.
I was not seeing these alarms when I had IDSM-2 with 4.x software
Please guide me to troubleshoot this issue.
regards,
Vasanth
-------------------------------------
Replied by: nkhawaja - CCIE - Mar 28, 2006, 8:03pm PST
Hi Vasanth,
Thanks for your question. I think you are facing this bug CSCsd00877.
Here is the detail
Symptom:
TCP Hijack signatures (3250,3251) fire at random times and there is no hijack or traffic
that appears to be a hijack occuring.
Conditions:
A IPS sensor in promisc mode will sometimes fire a hijack signature when none of the
traffic that should trigger the signature is observed.
Workaround:
Set enabled: false for the signatures until this DDTS is resolved
05-15-2006 12:08 PM
Set enabled : false for the signatures or else ,
use the release 5.01 or later
11-15-2006 07:17 AM
This week we upgraded the IDS v4.1 to IPS v5.1(4) S258. Seeing many hits on same 3 sigIDs (1300, 3250, & 3251). Is there still a bug CSCsd00877 that effects sig 3250,3251 ? What about sig 1300?
Should I follow your workaround below for all 3 sigs?
Set enabled: false for the signatures until this DDTS is resolved
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide