Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Impossible IP packet: SIG 1102 (0) - (0.1.0.4 address)

I have just noticed that this signature has fired for 2 of our different clients but with the same source/ destination IP's. I would normally assume that this is either impossible or very strange.

I think that might be where the name of the signature comes from anyway?

In each case all IP addresses reported, were 0.1.0.4.

Is this a generic address that simply represents an internal unknown device?

Does the signature need tweaking on the sensor? How are we meant to advise the client of where this activity comes from?

And finally, does it require a TAC case to request an update from Cisco?

It slightly concerns me that this signature has an impact rating of high, and we've not noticed this before, and every instance has been ignored (not filtered, etc).

Any help would be appreciated.

Regards.

1 REPLY
New Member

Re: Impossible IP packet: SIG 1102 (0) - (0.1.0.4 address)

The nature of this signature is an attempt to crash the device by having an IP packet with equal S & D. It is known as the Land attack, but does it matter what the IP's actually are?

If it can never occur within legitimate traffic, then can we always ignore.

Cheers.

244
Views
0
Helpful
1
Replies
CreatePlease to create content