IPS - tcp segment overwrite - WAY TOO MANY

Unanswered Question

We had consultants install our new ips. They recommended plugging into a switch connecting our firewall to our internet router. We have a bunch of VPN tunnels terminating at our ASA firewall from our remote offices. When I check the logs on the IPS, there are tons of alerts for "tcp segment overwrite" and alot of them come from the vpn sites. My question is, what can I do to alleviate some of these messages? I can't believe that we are being attacked this much.

To clarify our installation, we have 2 switches, one in each of our two buildings, and they are connected via fibre. We have a ASA in each building and they are setup for redundancy. Our IPS has only one interface plugged into the same vlan the hosts the firewall and the internet router.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jlimbo Mon, 06/18/2007 - 17:29
User Badges:

If this is in an inline scenario the offending packets are dropped by default. To investigate it further I check to see what other alerts are triggering for the offending hosts. This will give you more information to ascertain what these hosts are really doing.

mhellman Tue, 06/19/2007 - 05:43
User Badges:
  • Blue, 1500 points or more

we have the same issue. we see them too much in "normal" traffic for the sig to be useful.


This Discussion