cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
10
Helpful
1
Replies

IPS Impossible IP Packet

rmeans
Level 3
Level 3

I have an IDSM-2 version 6.1.1 E2 sig 353. The IPS is running in promiscuous mode. The IPS is alarming on impossible IP packets. To trace down the culprit, I decided to log the packet pair with the hopes that the layer 2 information would help guide the way. When I examined the packets with Wireshark, the IP address information showed different source and destination IP addresses. The packet appeared to be normal.

Any ideas why the IPS reports data differently from Wireshark?

I have several Cisco IPS sensors on this same version (6.1.1 E2 S353). This device is the only one reporting this type of error.

1 Accepted Solution

Accepted Solutions

marcabal
Cisco Employee
Cisco Employee

There is a known bug CSCsr49100.

There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr49100

Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)

Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released.

View solution in original post

1 Reply 1

marcabal
Cisco Employee
Cisco Employee

There is a known bug CSCsr49100.

There is a bug in the Fragmentation Reassemble/Normalizer code that can result in a false positive for the 1102 Impossible IP Packet signature.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr49100

Cisco is aware of the issue, and is in the process of fixing the issue. (Fix is not yet released)

Using the above link you can periodically check the status of the issue. When a version is released with the fixes a "Fixed-in" field will appear on the right side of the screen just beneath the "1st Found-in" versions. You will then need to upgrade to that version once it is released.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: