IPS 4240 seems to be dropping legitimate packets

Unanswered Question
Sep 4th, 2008
User Badges:

I have an IPS 4240 installed in between my customers Outside Firewall and his Internet Router.

I have been receiving excessive Alarms from the IPS with respect to a match on signature ID:1300/0. This is allegedly a TCP Segment Overright. The addresses are the addresses of a DNS server provided by our ISP, and then our Front End Mail Server in our DMZ. Is this most likely a false positive, or is it a crafted packet that could be an attack?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sat, 09/06/2008 - 23:38
User Badges:
  • Red, 2250 points or more

We see this signature fire all the time for hosts about whom we are sure that they are not HaX0RiNG our network :)




This Discussion