TCP Segment Overwrite 1300/0

alkabeer80 · ‎04-01-2013

Hi,

I have cisco IPS 4270 inline, and before cisco ASA.

I can always see signature 1300/0 fires, i have applied TCP normalization on ASA and still i can see same signature fire.

is there anything i can do to trace the root cause?

tcp-map tcp-NORM_Map
check-retransmission
checksum-verification
exceed-mss drop
queue-limit 5 timeout 3
syn-data drop
window-variation drop-connection
!

class-map CONNS_Class
match any

!

policy-map CONNS_policy
class CONNS_Class
set connection conn-max 5000 embryonic-conn-max 1500 per-client-max 50 per-client-embryonic-max 15
set connection timeout embryonic 0:00:45 half-closed 0:05:00 tcp 0:10:00 reset dcd 0:00:20 3
set connection advanced-options tcp-NORM_Map

!

service-policy CONNS_policy interface outside

thanks

_____Adam · ‎04-02-2013

In the past, signature 1300-0 had issues with the regex that were causing excessive false positives. I would first verify that you are using the newest version of this signature which was released in S637.

julomban · ‎04-02-2013

Correct, there is multiple bugs CSCsg23774/CSCsg91311 related to this particular signature and false positive.

you can find more information about the signature on the following link:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1300

As the above link says "This signature may trigger upon analyzing traffic assigned to the same virtual sensor when the sensor is configured to monitor 2 or more networks, and the tcp connection is crossing 2 or more networks.

If the sensor sees the same traffic twice within the same virtual sensor, this signature may fire." So, do you think this could be happening in our scenario? If you think this is not the issue and sensor is seeing the traffic only once, then we can also configure event action filter for the concerned traffic.

Again, you might want to confirm fist if you are running the newest version for this signature.

Regards,

Juan Lombana

Please rate helpful posts.

alkabeer80 · ‎04-06-2013

hi,

i have updated to latest signature "S705". still the signature fires.

this IPS is inline, traffic from outside "public" is hitting internal VS and its only one network.

Is there any other solution ?

thanks

_____Adam · ‎04-06-2013

To see more details on the traffic you can configure a custom event action filter for this signature as Juan has suggested. Some possible values that will provide you with more details are:

log-pair-packets (This will show you full traffic details)

produce-verbose-alert (This will give a more verbose alert with traffic hexdump)

alkabeer80 · ‎04-06-2013

hi Adam,

i want to create custom event filter, but i need yr help with steps:

1) event action rule

2) event action filter

3) add new

4) signature 1300/0

5) action to subtrack, i can see here (log-pair-packets, produce-verbose-alert), but these actions to subtrack ?

how i can do it, and later how to view it ?

thankssss

_____Adam · ‎04-07-2013

That sounds like the correct steps. Those actions subtract only if you specify a custom IP address. By default it will have 0.0.0.0-255.255.255.255 which will not subtract anything. You can see a graphical tutorial of this here:

http://popravak.wordpress.com/2012/04/30/event-action-filters/

So just follow the steps you listed and then you should see more information in the alert the next time the signature fires.

alkabeer80 · ‎04-07-2013

hi Adam,

I followed the procedure and i get the below packet Data, i could not interpret it, plz help me in this

Packet Data Ether: ---- Ethernet2 OSI=2 ----

Ether:

Ether: dst = 0:21:5e:3f:39:2a

Ether: src = 0:24:c3:ae:41:c3

Ether: proto = 0x8100 "(VLAN) IEEE 802.1q"

Ether:

VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----

VLAN:

VLAN: flags = 0000010010001001 1161

VLAN: 000............. 0x0 = [priority]

VLAN: ...0............ 0x0 = [cfi]

VLAN: ....010010001001 1161 = [id]

VLAN: type = 0x800 "(IP) Internet protocol (v4 or v6)"

VLAN:

IPv4: ---- IPv4 RFC=791 OSI=3 ----

IPv4:

IPv4: ver = 4 "Internet Protocol version 4"

IPv4: hlen = 5 (20 bytes) "No IP options present"

IPv4: tos = 00000000 0x0

IPv4: 000..... 0x0 = [precedence] "Routine"

IPv4: ...0.... 0x0 = [delay] "Normal delay"

IPv4: ....0... 0x0 = [throughput] "Normal throughput"

IPv4: .....0.. 0x0 = [reliability] "Normal reliability"

IPv4: ......00 0x0 = [reserved]

IPv4: len = 41 (21 bytes of data)

IPv4: id = 0x6c14

IPv4: flags = 010 0x2 (bit fields)

IPv4: 0.. 0x0 = [reserved]

IPv4: .1. 0x1 = [df] "Do not fragment"

IPv4: ..0 0x0 = [mf] "no more fragments"

IPv4: offset = 0 (0 bytes)

IPv4: ttl = 118 (hops)

IPv4: protocol = 6 "(TCP) Transmition Control Protocol (RFC793)"

IPv4: checksum = 0x4a60

IPv4: saddr = 1.1.1.1

IPv4: daddr = 2.2.2.2

IPv4:

TCP: ---- TCP RFC=793 OSI=4 ----

TCP:

TCP: sport = 51608

TCP: dport = 80

TCP: seq = 1386163655

TCP: ack = 3800346912

TCP: hlen = 5 (20 bytes) "No TCP options present"

TCP: res = 0

TCP: code = 010000 0x10

TCP: 0..... 0x0 = [urg]

TCP: .1.... 0x1 = [ack] "Acknowledgement Field Significant"

TCP: ..0... 0x0 = [psh]

TCP: ...0.. 0x0 = [rst]

TCP: ....0. 0x0 = [syn]

TCP: .....0 0x0 = [fin]

TCP: win = 64860 (bytes)

TCP: crc = 0x8627 (CRC-16)

TCP: urg = 0 (byte offset)

TCP:

Data: 0000 00 00 00 00 00 00 ......

Data:

alkabeer80 · ‎04-10-2013

hi,

any update ?

thanks

obryadinrv · ‎07-16-2013

I have the same problem.

Cisco IPS 4255 and TCP Segment Overwrite signature is fired.

after invertigation I think, that the df-bit set is the reason of this problem.

i have this topology:

host1 -> LAN ->(IPS)-> local router (route map with DF-bit set) -> ipsec tunnel (with smaler MTU) ->

remote router (route map with DF-bit set) -> remote LAN-> host2.

After the host1 established the tcp connection with host2 it sends first data segment, and the segment size is too big to go through ipsec-tunnel without fragmentation. A this moment IPS sees this first data segment.

Local router sends the icmp (need fragmentation with information of the next hop MTU) paket to the host1, and host1 resends the first data segment with less segment size to go through ipsec-tunnel without fragmentation. A this moment IPS sees the fist data segment (first 256bytes) second time and TCP Segment Overwrite signature is fired.

I don't know yet how to solve this problem.