Handling MARS's "System Rule: Misc. Attacks: TCP/IP Protocol Anomaly"

Unanswered Question
Jun 2nd, 2008

i have a IPS 4260 monitoring 4 inline links, connecting to a MARS 20.

MARS having been reporting a large amount of TCP related alerts over WAN; ie:

-TCP packet with segment out of order,

-TCP packet out of state order,

-TCP segment out of window,

-TCP Packet With Bad Checksum

Can anyone advice on the best practise or how should i assess and handle these situation?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Tue, 06/03/2008 - 13:25

Even if you decide to continue to alert on this sigantures, I would recommend creating a drop rule with "log to db only" for these alarms. They occur too often in "normal" traffic for them to be useful.

ben.gordon Sun, 06/22/2008 - 17:20

Sounds like a problem with the ISP. They may have a congested backbone or a faulty piece of equipment causing the errors. I would check the configuration of the links and interface errors.


This Discussion