Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
0
Helpful
6
Replies

Signature 1102-Impossible Packet

SCOTT MCINTIRE
Level 1
Level 1

‎01-14-2003 02:02 PM - edited ‎03-09-2019 01:40 AM

I've had sig. 1102 Impossible Packet triggered on our internal 4210 sensor several times with source and destination as 3.0.0.2(General Electric IP). We use a private address scheme within our network. Is anyone aware of any applications or benign triggers that might cause this signature? Any ideas on tracking down would be appreciated as well.

Labels:
0 Helpful
6 Replies 6

gfullage
Cisco Employee
Cisco Employee

‎01-14-2003 03:58 PM

There's no benign triggers for this signature, the IDS is simply seeing a packet with the same source and destination address. 3.0.0.2 is a strange IP address for this to occur on on your inside network, true enough, haven't heard of any application that does this kind of thing (it would be a pretty screwed up application to say the least).

To track it down is difficult since the source is obviously bogus. You could set this signature to IP Log which will tell the sensor to capture all the packets from this source when it next sees the sig, then you can use tcpdump or the like to have a look at the packets in depth. Maybe the source MAC address will be valid and you'll be able to track it down that way.

0 Helpful

SCOTT MCINTIRE
Level 1
Level 1
In response to gfullage

‎01-16-2003 01:56 PM

I do have the IPLOG of the event. How do I use tcpdump to view it? Would I be able to use a sniffer application to view it as well? Thank you. Scott

0 Helpful

s-beavers
Level 1
Level 1
In response to SCOTT MCINTIRE

‎01-16-2003 01:58 PM

Ethereal works as well. try http://www.ethereal.com.

0 Helpful

n-timm
Level 1
Level 1

‎01-18-2003 04:51 PM

We had a few instances of that ip on our sensor as well.

0 Helpful

ccall
Level 1
Level 1
In response to n-timm

‎02-27-2003 10:17 AM

I have also seen this on our sensors occassionally.

0 Helpful

pbobby
Level 1
Level 1

‎03-05-2003 05:06 PM

In my environment we have ATM to TCP/IP. I usually see this signature during high volume periods between my ATM core and our tcp/ip Cisco border router (the border in to the Corporation network).

In every case the source/destination IP addresses are of course the same, but vary between 127.0.0.1 and 127.0.0.10 (same in each case though).

The MAC addresses are the key: look at the MAC addresses and it will tell you the offending devices causing this traffic.

YMMV, but in my case I attributed it to a potentially buggy ATM <-> tcp/ip protocol change, and high traffic loads.

Doesn't happen often, but often enough (saw 2-3 detections per day).

Paul Bobby - Network Security Officer

Lockheed Martin Systems Integration

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents