I am seeing this as well. I have packet captures I can upload as necessary. I have been seeing this for a long time. Basically this seems to always happen between Windows machines; in my environment, one of the pair of machines in an alert will always be an active directory box or part of a SQL cluster.
The packets always appear to start with a "normal" header, but around byte 38 (where the source port is stored) the pattern of 0x3f bytes begins. In many packets the pattern repeats up to 1517, completely padding out the packet; in other cases its not as many. On those where there is the full amount of padding, the packet ends up "oversized."
Since the source and destination port fields are both overwritten with 0x3f3f (they are double-byte fields) the IDS and any sniffer software seems to identify this as source and destination port 16191. The length field is also reported as 16191 and the checksum shows as 0x3f3f.
There was one fellow who reported this on the Incidents mailing list at SecurityFocus, but he never figured out what was causing it in his environment - he thought is might be some kind of unknown trojan activity. He also uses Cisco IDS, although I don't know the specific model/version. In my own environment, all the Windows servers are Compaq of various models, so there might be something there as well.
This was reported on the SANS daily digest about a week ago - they said they were receiving some reports of this activity but had no data. The attached capture is one I took on an IDSMv2 blade here; I edited it to only include the single packet that fired the alerts (it's always the first packet, and there are never any others in the remaining packets in these captures).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :