I am looking for an explanation of the changes made to the sig 1330 with release 248. Many of the Normalizer subsigs did not produce alerts before. Now they do and my sensors are firing a ton of 1330 events. Any Cisco Signature Engineers able to respond would be great. Thank you in advance.
A second question about 1330 subsig 12, 15 and 17 (Segment out of order, Segment already ACKed by peer,Segment out of state order, respectfully). What do these do? These three cause major grief for us, especially when the sensor is placed behind PIX/ASA inside interface. We experience many "deny-packet-inline" which breaks many applications. I have to remove the "action" Globally to allow the apps to work. Is there any impact to removeing this action?
Subsigs 12 & 15, pretty much what the title states, a segment was received out of order, or a segment was already ACKed by its peer (duplicate ACK). -17 relies on TCP state, so we'd fire on a dataful packet received after say the FIN or RST.
Some of the 1330 sigs will fire on normal traffic, the easiest one to make sense of that would be something like the -15 subsig... it would fire on duplicate ACKs.
There is not a huge impact to changing the actions to these sigs, but I would say that its worth investigating. In this case, for the ones you have issues with, I'd suggest opening a TAC case so we can dedicate some resources to it and keep private information off the forums.
Thank you very much for your response. I do need to open a TAC case regarding subsig -12, -15 and -17. Seem to be having some major issues. In the meantime, I am going to remove the "produce alert" from the others. The number of events has quadrupled since I applied release 248, all is from sig 1330.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :