Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Hijack signatures fire in error

Hello,

Is there any news as to when the bug with the TCP Hijack signatures will be fixed?

According to forum posts from March, the bug CSCsd00877 in TCP Hijack signatures (3250,3251)is being addressed by Cisco.

I'm having the exact same problem (except for the Segment Overwrites) as Vasanth.

Any news would be greatly appreciated.

Regards,

David

-------------------------------------

Replied by: yvasanthk - Mar 28, 2006, 4:32am PST

Hi,

I have an IDSM2 running IPS5.1(1) S222.0 upgraded recently from 4.x.

My network has windows desktops, spanned on multiple VLANs. Cisco 6500 FWSM module routes between these VLANs and is the default gateway for each of these desktop VLANs.

Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..There is no pattern. All traffic that crosses my firewall module is being marked as "TCP Segment Overwrite" or "TCP Hijack"

It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this traffic as malicious.

I was not seeing these alarms when I had IDSM-2 with 4.x software

Please guide me to troubleshoot this issue.

regards,

Vasanth

-------------------------------------

Replied by: nkhawaja - CCIE - Mar 28, 2006, 8:03pm PST

Hi Vasanth,

Thanks for your question. I think you are facing this bug CSCsd00877.

Here is the detail

Symptom:

TCP Hijack signatures (3250,3251) fire at random times and there is no hijack or traffic

that appears to be a hijack occuring.

Conditions:

A IPS sensor in promisc mode will sometimes fire a hijack signature when none of the

traffic that should trigger the signature is observed.

Workaround:

Set enabled: false for the signatures until this DDTS is resolved

2 REPLIES
Silver

Re: TCP Hijack signatures fire in error

Set enabled : false for the signatures or else ,

use the release 5.01 or later

New Member

Re: TCP Hijack signatures fire in error

This week we upgraded the IDS v4.1 to IPS v5.1(4) S258. Seeing many hits on same 3 sigIDs (1300, 3250, & 3251). Is there still a bug CSCsd00877 that effects sig 3250,3251 ? What about sig 1300?

Should I follow your workaround below for all 3 sigs?

Set enabled: false for the signatures until this DDTS is resolved

372
Views
0
Helpful
2
Replies
CreatePlease login to create content