Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

help understanding alarm for IP flags are invalid (1225-0)

The alarm is attached. Based on my feeble attempts to read the IP header included in the alarm, the Don't fragment bit is set and the frag offset is zero. Why is this signature firing?

3 REPLIES
Anonymous
N/A

Re: help understanding alarm for IP flags are invalid (1225-0)

It's not necessarily to do with fragmented packets, it depends on what signature actually fired. It will be one of the normalizer engine sigs, and the action on that signature will be "deny-connection-inline" meaning once the sig fires all subsequent packets on that connection are denied/dropped

Gold

Re: help understanding alarm for IP flags are invalid (1225-0)

not sure I follow you. we're not inline, we're in promiscuous mode. The signature that actually fired is in the heading of the posting...1225-0. Unless I'm reading it wrong, the trigger packet has the "do not fragment" bit set and has no fragment offset value. To the untrained eye, this appears to be a normal unfragmented packet.

Gold

Re: help understanding alarm for IP flags are invalid (1225-0)

This appears to be is a big scary bug. I didn't initially bother to valid the trigger packet source and destination IP address. I should have. The trigger packet has a destination address of 206.195.196.91 and NOT 192.168.10.10. The firewall logs show that there WAS a session between 75.211.49.149 and 206.195.196.91 during this time period. I don't know what to make of this other than at least once my IDS fired a completely and utterly mashed up mess of an alarm

184
Views
0
Helpful
3
Replies