10-06-2011 07:13 AM - edited 03-10-2019 05:30 AM
Hi, We are getting quite a lot of these alerts and I can't find any info. on the internet. Can anyone shed any light on it.. There are hundreds of these alerts and most of the time the IP adresses are different. As far as I can see most of the time the attacker ip address has been from inside address range. Thanks. Regards
evIdsAlert: eventId=1277786506114716833 vendor=Cisco severity=high
originator:
hostId: abcips1
appName: sensorApp
appInstanceId: 414
time: Oct 06, 2011 05:26:59 UTC offset=0 timeZone=GMT00:00
signature: description=TCP Window Variation id=1307 version=S212 type=anomaly created=20030801
subsigId: 0
sigDetails: TCP Window varied in a suspect way
marsCategory: Info/Misc
interfaceGroup: vs0
vlan: 0
participants:
attacker:
addr: x.x.x.x locality=OUT
port: 39825
target:
addr: x.x.x.x locality=OUT
port: 5667
os: idSource=learned type=linux relevance=relevant
riskRatingValue: 100 targetValueRating=medium attackRelevanceRating=relevant
threatRatingValue: 100
interface: ge0_1
protocol: tcp
10-06-2011 10:59 AM
http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1307
You might have some kind of device (proxy or firewall, possibly) that is manipulating the size of the TCP window.
10-07-2011 01:10 AM
Thanks Mark. We do have an ASA as well as proxy (threat management gateway). I did see link that you posted before I posted my question but its not very clear from the article what can be done to resolve the problem. It says "incorrectly configured" but in what way? It would have been nice if it gave us the possible solutions? or what to check? Thanks. Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide