Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
2
Replies

TCP Hijack signatures fire in error

DFiore
Level 1
Level 1

‎05-09-2006 05:49 AM - edited ‎03-10-2019 03:00 AM

Hello,

Is there any news as to when the bug with the TCP Hijack signatures will be fixed?

According to forum posts from March, the bug CSCsd00877 in TCP Hijack signatures (3250,3251)is being addressed by Cisco.

I'm having the exact same problem (except for the Segment Overwrites) as Vasanth.

Any news would be greatly appreciated.

Regards,

David

-------------------------------------

Replied by: yvasanthk - Mar 28, 2006, 4:32am PST

Hi,

I have an IDSM2 running IPS5.1(1) S222.0 upgraded recently from 4.x.

My network has windows desktops, spanned on multiple VLANs. Cisco 6500 FWSM module routes between these VLANs and is the default gateway for each of these desktop VLANs.

Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..There is no pattern. All traffic that crosses my firewall module is being marked as "TCP Segment Overwrite" or "TCP Hijack"

It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this traffic as malicious.

I was not seeing these alarms when I had IDSM-2 with 4.x software

Please guide me to troubleshoot this issue.

regards,

Vasanth

-------------------------------------

Replied by: nkhawaja - CCIE - Mar 28, 2006, 8:03pm PST

Hi Vasanth,

Thanks for your question. I think you are facing this bug CSCsd00877.

Here is the detail

Symptom:

TCP Hijack signatures (3250,3251) fire at random times and there is no hijack or traffic

that appears to be a hijack occuring.

Conditions:

A IPS sensor in promisc mode will sometimes fire a hijack signature when none of the

traffic that should trigger the signature is observed.

Workaround:

Set enabled: false for the signatures until this DDTS is resolved

Labels:
0 Helpful
2 Replies 2

b.hsu
Level 5
Level 5

‎05-15-2006 12:08 PM

Set enabled : false for the signatures or else ,

use the release 5.01 or later

0 Helpful

wgorman
Level 1
Level 1

‎11-15-2006 07:17 AM

This week we upgraded the IDS v4.1 to IPS v5.1(4) S258. Seeing many hits on same 3 sigIDs (1300, 3250, & 3251). Is there still a bug CSCsd00877 that effects sig 3250,3251 ? What about sig 1300?

Should I follow your workaround below for all 3 sigs?

Set enabled: false for the signatures until this DDTS is resolved

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card