Each packet has the Dont Fragment flag set also in the IP packet.
The signature triggers on packet number 8. The conversation is normal seq/ack response, but at packet 8 there is a TCP Keepalive (determined because a tcp packet is sent with the ACK flag set and the sequence number 1 minus the actual sequence number) (has 1 byte data also)
As per RFC the target responds with a tcp packet with the ACK flag set and the ack number of 141.
Looks like to me like normal keep alive traffic at the application level (since tcp should be 2 hours), 30 seconds later the connection is closed.
So I'm wondering..... why this triggers a TCP Segment Overwrite event.
This is fixed in the 4.1.4 service pack. Please see DDTS CSCed38305
From the release-note for the bug above:
Signature 1300 fires on what appears to be normal traffic.
Networking stacks based on BSD4.2 implementations might use a older method of sending TCP keepalives. The IDS flags this as a TCP overwrite and fires signature 1300. The segment is in fact a overwrite but it is benign.
Upgrade to sensor v4.1.4 where this benign trigger will not cause an alarm to fire.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...