cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
0
Helpful
8
Replies

Event: NULL TCP PACKET

izaskun.onandia
Level 1
Level 1

Hello all,

we are incrementally receiving a lot of MARS events that comes from Cisco IDS, all those events are “ NULL TCP PACKET”, and the destination is always the same, a smtp ironport machine trough the 25 port, from diferent public IPs.

Does anybody have a similar scenario? What can we do?

Thanks

8 Replies 8

Farrukh Haroon
VIP Alumni
VIP Alumni

What is the frequency of such packets? A few of them are usually negliglble, this is specially true if you are at over/near utilization for your internet link.

Regards

Farrukh

Thank you for the reply,

the frecuence is

augus 925

September 1828

October till thursday 23 2329

And growing up. I think it is not licit trafic

Regards

Izaskun

How is the congestion/utlization on your Internet Link?

Exactly 'which' IPS signature is firing btw? (you can check this out by the raw event logs in MARS, this is done by clicking the icon next to the name of the reporting device).

Regards

Farrukh

Hi,

The ratio of average use is 88%, and the maximun peak is 5%.

Our IPS signature is 364

Thanks again

Izaskun

What make/model of IPS are you running?

Have you checked with that vendor for known false positives?

If there are false positives that will help you with tuning your sensor or with tuning out the alert on MARS.

Raymond

Hi,

We've a CISCO IPS, I think that this traffic is not a false positive, I think it is ilegal trafic.

Regards

What IPS signature are you seeing firing? I don't recognize 364.

Have you done a packet capture on the traffic? If so, what are you seeing out of the ordinary?

Are the sources of this connection a valid host or is it from areas of the world that are more known for hacking?

Hi,

The signature version 364 and the IPS version is 6.1 (1) E2.

It is suppoused that is a single TCP packet with none of the SYN, ACK,FIN or RST flags.

It comes from different public IP's that comes from different ISP's.

Regards

Izaskun

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: