Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Segment Overwrite

I've been reveiving events in my network firing the Signature 1300 TCP Segment Overwrite.

What is the cause of this firing? Could anyone tell me the potential danger of this in my net? Does anyone recommend a filter between inside sources and destinations?

Thank you,

Cisco Employee

Re: TCP Segment Overwrite

For an answer, I refer you to the MySDN entry for this signature:

Which says, "TCP streams are broken up into units called segments for transportation across the network, and TCP segments are encapsulated into IP packets. When received by a remote host in a TCP conversation, the segments are buffered from the network and then reassembled into a stream, which are passed to the controlling application. By manipulating the way in which a TCP stream is segmented, it is possible to evade detection by some firewalls and intrusion detection systems. The technique is to overwrite a portion of a previous segment in a stream with new data in a subsequent segment. This method allows an attacker to hide, or obfuscate, their attack on the network. Overwriting TCP segments is allowed by the TCP protocol, but it does not usually occur in normal network traffic and should be considered suspicious."


Re: TCP Segment Overwrite

We see lots of these internally. The ones I've investigated appeared to be misbehaving apps or clients and have not been malicious. You can't really see what the sig is checking for, but in the traces I looked at there were a lot of tcp segments out of order and duplicates.

New Member

Re: TCP Segment Overwrite

One theory I have regarding these, especially if you are correct and it detects duplicates, is that if, like us, you're sending an IPS unit traffic streams from multiple sources and the traffic happens to traverse both sources, it may be seen as duplicate segments when it's really two copies of the same traffic being forwarded to IPS.


Re: TCP Segment Overwrite