Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
2
Replies

Handling MARS's "System Rule: Misc. Attacks: TCP/IP Protocol Anomaly"

cashqoo
Level 1
Level 1

‎06-02-2008 05:39 PM - edited ‎03-10-2019 04:08 AM

i have a IPS 4260 monitoring 4 inline links, connecting to a MARS 20.

MARS having been reporting a large amount of TCP related alerts over WAN; ie:

-TCP packet with segment out of order,

-TCP packet out of state order,

-TCP segment out of window,

-TCP Packet With Bad Checksum

Can anyone advice on the best practise or how should i assess and handle these situation?

Thanks

cash

Labels:
0 Helpful
2 Replies 2

mhellman
Level 7
Level 7

‎06-03-2008 01:25 PM

Even if you decide to continue to alert on this sigantures, I would recommend creating a drop rule with "log to db only" for these alarms. They occur too often in "normal" traffic for them to be useful.

0 Helpful

ben.gordon
Level 1
Level 1

‎06-22-2008 05:20 PM

Sounds like a problem with the ISP. They may have a congested backbone or a faulty piece of equipment causing the errors. I would check the configuration of the links and interface errors.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card