Hi,

I have an IPS4270 appliance (IPS4270-20-K9) in IDS mode. I am getting continuous triggers on the TCP Hijack signature and the attacker is always the proxy server. with the target of various external addresses and 1 specific internal address hosting web services (ports 80 & 443).

evIdsAlert: eventId=6822622857377  vendor=Cisco  severity=high  alarmTraits=2147516416 
  originator:  
    hostId: PETROSA-PRW-IPS4270-IPS1 
    appName: sensorApp 
    appInstanceId: 1492 
  time: Feb 07, 2014 12:33:17 UTC  offset=120  timeZone=GMT+02:00 
  signature:   description=TCP Hijack  id=3250  version=S739  type=anomaly  created=20010202 
    subsigId: 0 
    sigDetails: TCP Hijack 
  interfaceGroup: ServerVlan 
  vlan: 3 
  participants:  
    attacker:  
      addr: 10.0.2.111  locality=OUT 
      port: 65077 
    target:  
      addr: 198.72.112.12  locality=OUT 
      port: 80 
      os:   idSource=unknown  type=unknown  relevance=relevant 
  actions:  
    snmpTrapRequested: true 
  triggerPacket:
000000  00 16 35 C2 39 87 00 24  14 BF 2E C0 81 00 A0 03  ..5.9..$........
000010  08 00 45 00 00 28 58 4A  40 00 7F 06 60 C2 0A 00  ..E..(XJ@...`...
000020  02 6F C6 48 70 0C FE 35  00 50 8C DB EE A7 B9 AF  .o.Hp..5.P......
000030  CC 0E 50 10 80 52 EC F6  00 00 00 00 00 00 00 00  ..P..R..........

  riskRatingValue: 100  targetValueRating=medium  attackRelevanceRating=relevant 
  threatRatingValue: 100 
  interface: ge3_0 
  protocol: tcp 

is this a false positive as it is triggering way too often and especially with it stating the proxy server as the attacker.

Thanks.