Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
0
Helpful
2
Replies

TCP Window Variation id=1307

desaijaimin
Level 1
Level 1

‎10-06-2011 07:13 AM - edited ‎03-10-2019 05:30 AM

Hi, We are getting quite a lot of these alerts and I can't find any info. on the internet.  Can anyone shed any light on it..  There are hundreds of these alerts and most of the time the IP adresses are different.  As far as I can see most of the time the attacker ip address has been from inside address range.  Thanks. Regards

evIdsAlert: eventId=1277786506114716833  vendor=Cisco  severity=high 

  originator:  

    hostId: abcips1 

    appName: sensorApp 

    appInstanceId: 414 

  time: Oct 06, 2011 05:26:59 UTC  offset=0  timeZone=GMT00:00 

  signature:   description=TCP Window Variation  id=1307  version=S212  type=anomaly  created=20030801 

    subsigId: 0 

    sigDetails: TCP Window varied in a suspect way 

    marsCategory: Info/Misc 

  interfaceGroup: vs0 

  vlan: 0 

  participants:  

    attacker:  

      addr: x.x.x.x  locality=OUT 

      port: 39825 

    target:  

      addr: x.x.x.x  locality=OUT 

      port: 5667 

      os:   idSource=learned  type=linux  relevance=relevant 

  riskRatingValue: 100  targetValueRating=medium  attackRelevanceRating=relevant 

  threatRatingValue: 100 

  interface: ge0_1 

  protocol: tcp 

Labels:
0 Helpful
2 Replies 2

mark.barrett
Level 1
Level 1

‎10-06-2011 10:59 AM

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1307

You might have some kind of device (proxy or firewall, possibly) that is manipulating the size of the TCP window.

0 Helpful

desaijaimin
Level 1
Level 1
In response to mark.barrett

‎10-07-2011 01:10 AM

Thanks Mark. We do have an ASA as well as proxy (threat management gateway). I did see link that you posted before I posted my question but its not very clear from the article what can be done to resolve the problem.  It says "incorrectly configured" but in what way? It would have been nice if it gave us the possible solutions?  or what to check?  Thanks. Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card