I have an IDSM-2 version 6.1.1 E2 sig 353. The IPS is running in promiscuous mode. The IPS is alarming on impossible IP packets. To trace down the culprit, I decided to log the packet pair with the hopes that the layer 2 information would help guide the way. When I examined the packets with Wireshark, the IP address information showed different source and destination IP addresses. The packet appeared to be normal.
Any ideas why the IPS reports data differently from Wireshark?
I have several Cisco IPS sensors on this same version (6.1.1 E2 S353). This device is the only one reporting this type of error.
There is a known bug CSCsr49100.
There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.
Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)
Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released.