06-18-2007 12:01 PM - edited 03-10-2019 03:39 AM
We had consultants install our new ips. They recommended plugging into a switch connecting our firewall to our internet router. We have a bunch of VPN tunnels terminating at our ASA firewall from our remote offices. When I check the logs on the IPS, there are tons of alerts for "tcp segment overwrite" and alot of them come from the vpn sites. My question is, what can I do to alleviate some of these messages? I can't believe that we are being attacked this much.
To clarify our installation, we have 2 switches, one in each of our two buildings, and they are connected via fibre. We have a ASA in each building and they are setup for redundancy. Our IPS has only one interface plugged into the same vlan the hosts the firewall and the internet router.
thanks
06-18-2007 05:29 PM
If this is in an inline scenario the offending packets are dropped by default. To investigate it further I check to see what other alerts are triggering for the offending hosts. This will give you more information to ascertain what these hosts are really doing.
06-18-2007 05:43 PM
this is not inline...only have one interface.
I checked through and handful of the logs and I have ip's from my internal network and from remote vpn connections. Is there a way to search thru the log to find multiple occurrences of the same host???
06-19-2007 05:43 AM
we have the same issue. we see them too much in "normal" traffic for the sig to be useful.
06-19-2007 11:21 AM
If you are on a 4250, 4250XL or a IDSM-2 then you might be hitting CSCsg23774.
The defect was corrected in 6.0(1).
06-20-2007 07:26 AM
Thanks man...that seemed to do the trick.
Good thing I did not do that upgrade last week when I was studying for the IPS exam. Whole new interface would have thrown me off.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: