Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS Impossible IP Packet

I have an IDSM-2 version 6.1.1 E2 sig 353. The IPS is running in promiscuous mode. The IPS is alarming on impossible IP packets. To trace down the culprit, I decided to log the packet pair with the hopes that the layer 2 information would help guide the way. When I examined the packets with Wireshark, the IP address information showed different source and destination IP addresses. The packet appeared to be normal.

Any ideas why the IPS reports data differently from Wireshark?

I have several Cisco IPS sensors on this same version (6.1.1 E2 S353). This device is the only one reporting this type of error.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS Impossible IP Packet

There is a known bug CSCsr49100.

There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr49100

Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)

Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released.

1 REPLY
Cisco Employee

Re: IPS Impossible IP Packet

There is a known bug CSCsr49100.

There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr49100

Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)

Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released.

1292
Views
10
Helpful
1
Replies