Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
3
Replies

Sig Release 248 - NORMALIZER changes

mkirbyii
Level 1
Level 1

‎09-18-2006 09:29 AM - edited ‎03-10-2019 03:13 AM

I am looking for an explanation of the changes made to the sig 1330 with release 248. Many of the Normalizer subsigs did not produce alerts before. Now they do and my sensors are firing a ton of 1330 events. Any Cisco Signature Engineers able to respond would be great. Thank you in advance.

A second question about 1330 subsig 12, 15 and 17 (Segment out of order, Segment already ACKed by peer,Segment out of state order, respectfully). What do these do? These three cause major grief for us, especially when the sensor is placed behind PIX/ASA inside interface. We experience many "deny-packet-inline" which breaks many applications. I have to remove the "action" Globally to allow the apps to work. Is there any impact to removeing this action?

Thank you in advance

M

Labels:
0 Helpful
3 Replies 3

wsulym
Cisco Employee
Cisco Employee

‎09-18-2006 11:54 AM

As to the changes:

1308 was disabled.

1311 deny connection inline was removed

1330 -3, -4, -11, -14, -16 were set to produce alerts and the deny packet inline action was removed.

1330-15 was disabled

Let me get back to you in a few regarding the others you mention in the second paragraph.

0 Helpful

wsulym
Cisco Employee
Cisco Employee

‎09-18-2006 12:37 PM

Second part....

Subsigs 12 & 15, pretty much what the title states, a segment was received out of order, or a segment was already ACKed by its peer (duplicate ACK). -17 relies on TCP state, so we'd fire on a dataful packet received after say the FIN or RST.

Some of the 1330 sigs will fire on normal traffic, the easiest one to make sense of that would be something like the -15 subsig... it would fire on duplicate ACKs.

There is not a huge impact to changing the actions to these sigs, but I would say that its worth investigating. In this case, for the ones you have issues with, I'd suggest opening a TAC case so we can dedicate some resources to it and keep private information off the forums.

0 Helpful

mkirbyii
Level 1
Level 1
In response to wsulym

‎09-18-2006 01:22 PM

Thank you very much for your response. I do need to open a TAC case regarding subsig -12, -15 and -17. Seem to be having some major issues. In the meantime, I am going to remove the "produce alert" from the others. The number of events has quadrupled since I applied release 248, all is from sig 1330.

Thanks again.

M

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card