IPS 4240 seems to be dropping legitimate packets

Unanswered Question
Sep 4th, 2008

I have an IPS 4240 installed in between my customers Outside Firewall and his Internet Router.

I have been receiving excessive Alarms from the IPS with respect to a match on signature ID:1300/0. This is allegedly a TCP Segment Overright. The addresses are the addresses of a DNS server provided by our ISP, and then our Front End Mail Server in our DMZ. Is this most likely a false positive, or is it a crafted packet that could be an attack?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Sat, 09/06/2008 - 23:38

We see this signature fire all the time for hosts about whom we are sure that they are not HaX0RiNG our network :)

Regards

Farrukh

Actions

This Discussion