This sig is set to log and I have had a look at the packet captures but not sure how to check if this is a false positive. My gut feeling is this is ok but just wondered. Any suggestions on what I should look for?
The IN address is our local proxy server and the out address is an internal web server that is running a front end application.
Signature 3250 will fire when the ratio of data-less ACK packets to data-full ACK packets is 10 / 1 in a telnet, rlogin, or rsh session. The sensor has default threshold of 90 seconds for tracking TCP streams. If no stream activity is seen for 90 seconds, the stream will be dropped from inspection. If 3-Way Handshaking is enabled, all further traffic from a dropped stream will be ignored. If 3-Way Handshaking is disabled, inspection will resume in a new context. The signature monitors tcp ports 23, 512, and 513.
In the post from a-vazquez it is mentioned that the signature 3250, monitors tcp ports 23, 512, and 513. Has there been a change in version 4.1.4 to monitor all TCP ports? In our network, I am seeing this signature triggered fairly often. Web servers and proxy servers seem to be the main culprit. Anyone else seeing this?
While I don't have any packet captures to support the position that SigID 3250 is firing on ports other than the three listed, I do have an entry from my SIMS and a screen capture from IDM on the involved sensor (and it was not tuned) that would support that things may be amiss.
Here's the log:
Timestamp - 2004:06:07 14:54:25 GMT
Method - TCP Hijack
Source IP -
Source Port - 3418
Destination IP -
Dest Port - 80
SigID - 3250
NOTE: The screen capture clearly shows that no ports are listed in the "ServicePorts" variable field.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...