Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCP Segment Overwrites

We're seeing a lot of these alerts in the IPS and MARS. I've made a few packet captures, but have been unable to completely identify the issue.

If I create a packet capture, I see an occasional duplicate ACK, but those same events don't appear to trigger within the IPS.

These are 3 seperate incidents and the logs from each:

http://pastebin.com/m7bc382c9

2 REPLIES
Bronze

Re: TCP Segment Overwrites

Make sure that You must enable the desired interfaces (including subinterfaces) on the router for packet monitoring. You can select any number of interfaces or subinterfaces to be monitored. The packets sent and received on these interfaces are forwarded to NM-CIDS for inspection. You enable and disable the interfaces through the router CLI (Cisco IOS).

Cisco Employee

Re: TCP Segment Overwrites

Does your sensor see the traffic more than once?

A common situation seen in the field is that the sensor may be monitoring traffic on 2 sides of a router or firewall.

So traffic is seen coming from the client as it goes to the router, and then again from the router to the server. And vice versa for traffic from the server to the router.

This double monitoring can sometimes look like an attack is taking place.

If you do have this situation, then the best solution is to monitor each side of the router with a different virtual sensor. This way each virtual sensor only sees one copy of each packet.

This method can be done for both inline and promiscuous deployments.

Some platforms have a 1 virtual sensor limit while others have a 4 virtual sensor limit. If you are monitoring more networks than the number of virtual sensors, then you won't be able to monitor each network with a separate virtual sensor. If you are doing inline monitoring, then there is another option. There is a inline-TCP-session-tracking mode configuration that can be set to "interface-and-vlan". With this setting the virtual sensor will separately track TCP sessions across the 2 or more networks.

If you truly are monitoring just a single network, then the above is unlikely to be your problem.

The packets you've captured, however, are not enough to test the sensor. Your packet captures are only capturing the end of your TCP session.

If you replay them to the sensor, the sensor will likely ignore the packets.

You will need to capture a complete TCP session including the initial SYN packet that starts the connection.

152
Views
4
Helpful
2
Replies
CreatePlease login to create content