cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
553
Views
5
Helpful
6
Replies

TCP Segment Overwrites (Sig 1300) - Causes?

cgiulini
Level 1
Level 1

I recently saw a number of hits against Signature 1300 - TCP Segment Overwrite. I am trying to figure out what could cause this condition. Has anyone else seen this in a normal connection?

Regards,

Chad

6 Replies 6

umedryk
Level 5
Level 5

Only if the retransmitted data overwrites a different segment, sig 1300 alarms. Check that out...

mlhall
Level 1
Level 1

I have several packet traces from several customers that see this alert. There appears to be a bug in the microsoft TCP stack when connections go stale. What happens is that the last successful segment's last byte is resent with a value of 0xff. This is after the other endhost has ACK'ed the sequence from the last segments.

So for example.

a->b seq=100 data="ABCDEFG"

b->a ack=107 no data

a->b seq=106 data="(0xff)"

The last packet in the example is overwriting the G in the first packet with an 0xff. This causes the IDS to fire. We are working on detecting this stack bug in a new version.

I have a few traces to run through from the sensor.

Thanks for giving me somewhere to start looking.

Regards,

Chad

After further investigation I have found that there is an older implementation of TCP keepalives dating back to BSD 4.2 days where the keepalive does hold garbage data. Microsoft's stack was based on some of this older BSD code and therefore shows this behavior. So we have concluded that there is no stack bug in Microsoft's TCP stack. They are just doing something that most stacks do not.

We now know the problem and I will be committing a fix for v4.1.4 of the IDS. It will safely ignore an overwrite if it is a single byte one byte back in the sequence and both ends of the TCP connection have already ack'ed the byte.

Sorry for the delay in solving this problem for you all. If you have lowered the sev or filtered 1300 I would recommend setting your filters and severity back to default after upgrading to v4.1.4.

And when is 4.1.4 due out?

4.1(4) has not been officially scheduled for release as yet. So we can not give a date for you. However there will be a 4.1(3d) patch made available that will include this fix in the next two weeks.

KLW

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: