on a customer's site, on one of their IPS, I get a lot of sig 1330 alerts, mainly those two:
1330-12: TCP segment is out of order. If the signature status is set to disabled, the packet will be passed to all engines that are not stream based.
This signature will not produce an alert in promiscuous mode regardless of the signature status.
1330-17: TCP segment out of state order. If a packet in a stream causes this signature to produce an alert, processing will cease for that stream. This signature will not produce an alert in promiscuous mode regardless of the signature status
I'm not sure how to interpret these alerts correctly and/or how to troubleshoot further. Does anyone have an idea?
Thanks a lot,