TCP Segment Overwrite

Unanswered Question
Jun 22nd, 2007
User Badges:

I'm getting ~ 330,000 "TCP Segment Overwrite" alerts a day from the 6 IDS/IPS sensors. Destination of these packets are 0.0.0.0 or Internal IPs(10.x.x.x). The source IP is mostly Internal Subnet (10.x.x.x). Do I need to investigate these events/alerts?. What do we need to monitor for this event? Do we need to monitor traffic originating from external source?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
attmidsteam Fri, 06/22/2007 - 11:38
User Badges:
  • Silver, 250 points or more

We turned the sig off since it didn't seem to provide any value.

Actions

This Discussion