Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
0
Helpful
1
Replies

IDS and two switches

apolkosnik
Level 1
Level 1

‎09-12-2006 01:54 PM - edited ‎03-10-2019 03:13 AM

I have an IDS "listening in" on two switches. Problems begin when a host connected to switch1 talks to another host connected to switch2. Apparently I can see the packets twice (the only difference is TTL decreased by one). To make it more interesting SigID:1300-0 Sig:TCP Segment Overwrite starts firing.

Any suggestions greatly appreciated.

-A

Labels:
0 Helpful
1 Reply 1

vmoopeung
Level 5
Level 5

‎09-18-2006 12:04 PM

This signature 1300 will only fire when the data in the stream is attempting to be overwritten with different data than what was previously seen at that sequence offset. The issue is due to Networking stacks based on BSD4.2 implementations might use a older method of sending TCP keepalives. The IDS flags this as a TCP overwrite and fires signature 1300. The resolution is to Upgrade to sensor v5.0 where this trigger will not cause an alarm to fire.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card