02-20-2004 01:53 AM - edited 03-09-2019 06:29 AM
Hi
Our IDS logged the following alert in the event log:
signature: sigId=3250 sigName=TCP Hijack subSigId=0 version=2.1.1
participants:
attack:
attacker: proxy=false
addr: locality=IN x.x.x.x
port: 27912
victim:
addr: locality=OUT x.x.x.x
port: 80
This sig is set to log and I have had a look at the packet captures but not sure how to check if this is a false positive. My gut feeling is this is ok but just wondered. Any suggestions on what I should look for?
The IN address is our local proxy server and the out address is an internal web server that is running a front end application.
Thanks in advance.
02-26-2004 08:05 AM
Signature 3250 will fire when the ratio of data-less ACK packets to data-full ACK packets is 10 / 1 in a telnet, rlogin, or rsh session. The sensor has default threshold of 90 seconds for tracking TCP streams. If no stream activity is seen for 90 seconds, the stream will be dropped from inspection. If 3-Way Handshaking is enabled, all further traffic from a dropped stream will be ignored. If 3-Way Handshaking is disabled, inspection will resume in a new context. The signature monitors tcp ports 23, 512, and 513.
06-07-2004 02:45 AM
In the post from a-vazquez it is mentioned that the signature 3250, monitors tcp ports 23, 512, and 513. Has there been a change in version 4.1.4 to monitor all TCP ports? In our network, I am seeing this signature triggered fairly often. Web servers and proxy servers seem to be the main culprit. Anyone else seeing this?
SIGID: 3250
SubSig: 0
AlarmDelayTimer:
AlarmInterval:
AlarmSeverity: high default: high
AlarmThrottle: FireOnce
AlarmTraits:
CapturePacket: False
ChokeThreshold:
Enabled: True default: True
EventAction: ZERO
FlipAddr:
FragmentThreshold:
HijackMaxOldAck: 200
HijackReset:
MaxInspectLength:
MaxTTL:
MinHits:
MpcPercentThreshold:
MpcTimeout:
Protocol: TCP
ResetAfterIdle: 15
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ServicePorts:
SigComment: TCP Hijack
SigName: TCP Hijack
SigStringInfo:
SigVersion: 2.1.1
StorageKey: xxxx
SummaryKey: Axxx
SynFloodMaxEmbrionic:
ThrottleInterval: 15
TrafficFlowTimeout:
WantFrag:
02-26-2004 09:01 AM
As mentioned by the previous poster, this signature looks for an imbalance of data-less vs. data-full ACK packets. If you send a traffic sample to mcerha@cisco.com, I can give you a precise diagnosis.
06-07-2004 07:34 AM
While I don't have any packet captures to support the position that SigID 3250 is firing on ports other than the three listed, I do have an entry from my SIMS and a screen capture from IDM on the involved sensor (and it was not tuned) that would support that things may be amiss.
Here's the log:
Timestamp - 2004:06:07 14:54:25 GMT
Method - TCP Hijack
Source IP -
Source Port - 3418
Destination IP -
Dest Port - 80
SigID - 3250
NOTE: The screen capture clearly shows that no ports are listed in the "ServicePorts" variable field.
Alex Arndt
06-07-2004 01:49 PM
Alex, thank you for you reply and support;
I am sorry to push this one back up in the queue but Id really like to hear any comments from Cisco regarding this signature.
Is there something missing in the signature or is this the way that it was intended for 4.1_4s95??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide