Event: NULL TCP PACKET

Unanswered Question
Oct 28th, 2008
User Badges:

Hello all,


we are incrementally receiving a lot of MARS events that comes from Cisco IDS, all those events are “ NULL TCP PACKET”, and the destination is always the same, a smtp ironport machine trough the 25 port, from diferent public IPs.


Does anybody have a similar scenario? What can we do?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 10/29/2008 - 04:54
User Badges:
  • Red, 2250 points or more

What is the frequency of such packets? A few of them are usually negliglble, this is specially true if you are at over/near utilization for your internet link.


Regards


Farrukh

izaskun.onandia Wed, 10/29/2008 - 05:42
User Badges:

Thank you for the reply,


the frecuence is


augus 925

September 1828

October till thursday 23 2329


And growing up. I think it is not licit trafic


Regards


Izaskun


Farrukh Haroon Wed, 10/29/2008 - 07:16
User Badges:
  • Red, 2250 points or more

How is the congestion/utlization on your Internet Link?


Exactly 'which' IPS signature is firing btw? (you can check this out by the raw event logs in MARS, this is done by clicking the icon next to the name of the reporting device).


Regards


Farrukh

izaskun.onandia Wed, 10/29/2008 - 08:36
User Badges:

Hi,


The ratio of average use is 88%, and the maximun peak is 5%.



Our IPS signature is 364


Thanks again



Izaskun


rajett Wed, 10/29/2008 - 15:39
User Badges:
  • Cisco Employee,

What make/model of IPS are you running?


Have you checked with that vendor for known false positives?


If there are false positives that will help you with tuning your sensor or with tuning out the alert on MARS.


Raymond

izaskun.onandia Thu, 10/30/2008 - 01:05
User Badges:

Hi,


We've a CISCO IPS, I think that this traffic is not a false positive, I think it is ilegal trafic.


Regards

rajett Thu, 10/30/2008 - 11:36
User Badges:
  • Cisco Employee,

What IPS signature are you seeing firing? I don't recognize 364.


Have you done a packet capture on the traffic? If so, what are you seeing out of the ordinary?


Are the sources of this connection a valid host or is it from areas of the world that are more known for hacking?

izaskun.onandia Fri, 10/31/2008 - 01:16
User Badges:

Hi,


The signature version 364 and the IPS version is 6.1 (1) E2.


It is suppoused that is a single TCP packet with none of the SYN, ACK,FIN or RST flags.


It comes from different public IP's that comes from different ISP's.


Regards

Izaskun

Actions

This Discussion