Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sig Release 248 - NORMALIZER changes

I am looking for an explanation of the changes made to the sig 1330 with release 248. Many of the Normalizer subsigs did not produce alerts before. Now they do and my sensors are firing a ton of 1330 events. Any Cisco Signature Engineers able to respond would be great. Thank you in advance.

A second question about 1330 subsig 12, 15 and 17 (Segment out of order, Segment already ACKed by peer,Segment out of state order, respectfully). What do these do? These three cause major grief for us, especially when the sensor is placed behind PIX/ASA inside interface. We experience many "deny-packet-inline" which breaks many applications. I have to remove the "action" Globally to allow the apps to work. Is there any impact to removeing this action?

Thank you in advance

M

3 REPLIES
Cisco Employee

Re: Sig Release 248 - NORMALIZER changes

As to the changes:

1308 was disabled.

1311 deny connection inline was removed

1330 -3, -4, -11, -14, -16 were set to produce alerts and the deny packet inline action was removed.

1330-15 was disabled

Let me get back to you in a few regarding the others you mention in the second paragraph.

Cisco Employee

Re: Sig Release 248 - NORMALIZER changes

Second part....

Subsigs 12 & 15, pretty much what the title states, a segment was received out of order, or a segment was already ACKed by its peer (duplicate ACK). -17 relies on TCP state, so we'd fire on a dataful packet received after say the FIN or RST.

Some of the 1330 sigs will fire on normal traffic, the easiest one to make sense of that would be something like the -15 subsig... it would fire on duplicate ACKs.

There is not a huge impact to changing the actions to these sigs, but I would say that its worth investigating. In this case, for the ones you have issues with, I'd suggest opening a TAC case so we can dedicate some resources to it and keep private information off the forums.

New Member

Re: Sig Release 248 - NORMALIZER changes

Thank you very much for your response. I do need to open a TAC case regarding subsig -12, -15 and -17. Seem to be having some major issues. In the meantime, I am going to remove the "produce alert" from the others. The number of events has quadrupled since I applied release 248, all is from sig 1330.

Thanks again.

M

150
Views
0
Helpful
3
Replies
CreatePlease to create content