Excess hits on IPS signatures 1204 and 1208

gautamzone · ‎06-05-2010

Dear friends,

I am getting a lot of 1204/0 and 1208/0 hits for a particular server behind FWSM with destination traffic being 224.0.0.255 and protocol being UDP.

These signatures are relating to Missing Initial fragment and IP Fragment Incomplete datagram.

Do you have any suggestions on how to handle this?

The sensor is operating in both promiscous as well as inline mode but i dont remember exactly if this event is coming from the virtual sensor in promiscous mode or inline mode. I believe it is promiscous.

Any ideas would really be appreciated.

Thanks and Regards

Marcin Latosiewicz · ‎06-06-2010

From FWSM's perspective

server ------ (inside vlan) FWSM (outside vlan) ------- {cloud}

Where are you sniffing?

FWSM has it's own fragmentation checks in place and will not allow traffic for which it has not received all the fragments - maybe it's pointless to have those checks on IPS?

Helpful FWSM:

----

show frag

show np 3 reas

----

On a higher level. I know that certain multicast apps will send huge chunks of fragmented data and you may consider raising MTU on FWSM + using jumbo frames to mitigate some of the impact. You'd need to know who's receiving those multicast groups though.