Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS and two switches

I have an IDS "listening in" on two switches. Problems begin when a host connected to switch1 talks to another host connected to switch2. Apparently I can see the packets twice (the only difference is TTL decreased by one). To make it more interesting SigID:1300-0 Sig:TCP Segment Overwrite starts firing.

Any suggestions greatly appreciated.

-A

1 REPLY
Bronze

Re: IDS and two switches

This signature 1300 will only fire when the data in the stream is attempting to be overwritten with different data than what was previously seen at that sequence offset. The issue is due to Networking stacks based on BSD4.2 implementations might use a older method of sending TCP keepalives. The IDS flags this as a TCP overwrite and fires signature 1300. The resolution is to Upgrade to sensor v5.0 where this trigger will not cause an alarm to fire.

131
Views
0
Helpful
1
Replies
CreatePlease login to create content