TCP Segment Overwrite

Unanswered Question
Mar 21st, 2007
User Badges:

I have an IPS4215 installed behind a 515E firewall. When clients use the Cisco VPN Client to connect to the firewall (and access a sensitive server behind it) I get multiple hits on Sig 1300/0 TCP Segment Overwrite. Summarization keeps the number of counts down, but sometimes I'm seeing 200+ events per connection. I need to determine how this should be tuned.

Where can I find more information about the specifics of this signature? I'm not clear from the NSDB why this would occur in this case.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
ishah Thu, 03/22/2007 - 16:00
User Badges:


We see these every time we install a Cisco Sensor in default mode.

I think it is over sensitive, I have been meaning to see some data to TAC to let Cisco look at it as we see it on every 5.X sensor we install.

Tim Armstrong Fri, 03/23/2007 - 04:32
User Badges:


Since I'm not the only one with the problem, I'll try to open a TAC today and see where this goes. I'll post progress here.

Thanks for the reply!


This Discussion