Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Segment Overwrite - IDSM2 with IPS5.1(1d)


I have an IDSM2 running IPS5.1(1d)S220 upgraded recently from 4.x. My network has windows desktops (spanned on multiple subnets) whose default gateway is a Cisco 6500 FWSM module.

Since I upgraded to IPS 5.x, I am seeing lots and lots of TCP Hijack and TCP Segment Overwrite alarms. The source addresses of these alarms are my windows PCs, destination addresses are Windows 2003 servers..Sometimes, the destination address is and ports are empty.

It is difficult to ignore so many alarms unless there is a technical explanation to see if the placement of FWSM is causing IPS to treat this as a threat.

Can someone help me to get out of this issue?

New Member

Re: TCP Segment Overwrite - IDSM2 with IPS5.1(1d)

The with 0 ports are the summary alerts - it fired x times in the last minute etc

New Member

Re: TCP Segment Overwrite - IDSM2 with IPS5.1(1d)

I found this on a previously written thread. I cannot find the thread anymore. All credit is given to the message owner. i hope the reply helps.

mlhall of - CISCO SYSTEMS wrote:

Oct 6, 2003, 11:06am PST

I have several packet traces from several customers that see this alert. There appears to be a bug in the microsoft TCP stack when connections go stale. What happens is that the last successful segment's last byte is resent with a value of 0xff. This is after the other endhost has ACK'ed the sequence from the last segments.

So for example.

a->b seq=100 data="ABCDEFG"

b->a ack=107 no data

a->b seq=106 data="(0xff)"

The last packet in the example is overwriting the G in the first packet with an 0xff. This causes the IDS to fire. We are working on detecting this stack bug in a new version.

CreatePlease login to create content