TCP Window Variation Sig fires repeatedly

Unanswered Question
Sep 9th, 2009
User Badges:

Sig 1307/0 TCP Window Variation is constantly firing on my IPS. The explanation mentions that some "improperly implemented" firewalls can cause this signature to fire. I have an ASA 5520 between my users and the internet and all internet traffic is NATed. It fires on normal web traffic to known good sites as well as traffic between sites coming in over IPSEC VPN, which is exempted from NAT. Any ideas on what may be causing this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Tue, 09/15/2009 - 05:50
User Badges:
  • Silver, 250 points or more

This signature Sig 1307/0 will fire when the TCP window varies in a suspect manner. The right edge of the recieve window for TCP decreases. The TCP RFCs state that this should not occur.

This signature will NOT function in promiscuous mode.

Some incorrectly implemented proxies or network address translation firewalls could modify the window can cause this signature to fire.


This Discussion