Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
2
Replies

TCP-Hijack - triggers continuously

jodamus112
Level 1
Level 1

‎02-07-2014 05:11 AM - edited ‎03-10-2019 06:08 AM

Hi,

I have an IPS4270 appliance (IPS4270-20-K9) in IDS mode. I am getting continuous triggers on the TCP Hijack signature and the attacker is always the proxy server. with the target of various external addresses and 1 specific internal address hosting web services (ports 80 & 443).

evIdsAlert: eventId=6822622857377  vendor=Cisco  severity=high  alarmTraits=2147516416 
  originator:  
    hostId: PETROSA-PRW-IPS4270-IPS1 
    appName: sensorApp 
    appInstanceId: 1492 
  time: Feb 07, 2014 12:33:17 UTC  offset=120  timeZone=GMT+02:00 
  signature:   description=TCP Hijack  id=3250  version=S739  type=anomaly  created=20010202 
    subsigId: 0 
    sigDetails: TCP Hijack 
  interfaceGroup: ServerVlan 
  vlan: 3 
  participants:  
    attacker:  
      addr: 10.0.2.111  locality=OUT 
      port: 65077 
    target:  
      addr: 198.72.112.12  locality=OUT 
      port: 80 
      os:   idSource=unknown  type=unknown  relevance=relevant 
  actions:  
    snmpTrapRequested: true 
  triggerPacket:
000000  00 16 35 C2 39 87 00 24  14 BF 2E C0 81 00 A0 03  ..5.9..$........
000010  08 00 45 00 00 28 58 4A  40 00 7F 06 60 C2 0A 00  ..E..(XJ@...`...
000020  02 6F C6 48 70 0C FE 35  00 50 8C DB EE A7 B9 AF  .o.Hp..5.P......
000030  CC 0E 50 10 80 52 EC F6  00 00 00 00 00 00 00 00  ..P..R..........

  riskRatingValue: 100  targetValueRating=medium  attackRelevanceRating=relevant 
  threatRatingValue: 100 
  interface: ge3_0 
  protocol: tcp 

is this a false positive as it is triggering way too often and especially with it stating the proxy server as the attacker.

Thanks.

Labels:
0 Helpful
2 Replies 2

Mizanul Islam
Level 1
Level 1

‎02-07-2014 05:51 AM

Hi Jodamus112,

I suggest to you please do somethings for your network security (Configure IPS in Inline mode), Attacker attack to your web server from external site. Also make sure the webserver Antivirus working properly.

Regrads

Parosh

0 Helpful

jodamus112
Level 1
Level 1
In response to Mizanul Islam

‎02-07-2014 08:23 AM

Hi Parosh,

Thanks for the feedback. Are you requesting that I test the IPS inline between Proxy server and external site. Or are you saying I must deploy like that permanently.

Currently our proxy server is on our Local LAN, in a Server VLAN, and we are spanning the VLAN to the IPS port to detect the complete server VLAN. So won't be able to deploy inline and might be an issue to do this just for test purposes as it will not replicate the existing and current environment.

Thanks
Julian
Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card