Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Handling MARS's "System Rule: Misc. Attacks: TCP/IP Protocol Anomaly"

i have a IPS 4260 monitoring 4 inline links, connecting to a MARS 20.

MARS having been reporting a large amount of TCP related alerts over WAN; ie:

-TCP packet with segment out of order,

-TCP packet out of state order,

-TCP segment out of window,

-TCP Packet With Bad Checksum

Can anyone advice on the best practise or how should i assess and handle these situation?

Thanks

cash

2 REPLIES
Gold

Re: Handling MARS's "System Rule: Misc. Attacks: TCP/IP Protocol

Even if you decide to continue to alert on this sigantures, I would recommend creating a drop rule with "log to db only" for these alarms. They occur too often in "normal" traffic for them to be useful.

Community Member

Re: Handling MARS's "System Rule: Misc. Attacks: TCP/IP Protocol

Sounds like a problem with the ISP. They may have a congested backbone or a faulty piece of equipment causing the errors. I would check the configuration of the links and interface errors.

149
Views
0
Helpful
2
Replies
CreatePlease to create content