Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TCP Segment Overwrites - False Positives?

I am getting thousands of TCP segment overwrite events (ID: 1300) directed at our MS SQL Server from numerous clients. Is this a bug in the MS SQL implementation that could cause false positives? Is there a known exploit that would be causing this?

4 REPLIES
New Member

Re: TCP Segment Overwrites - False Positives?

We have heard of one other customer that is having the same issue. We are looking in to it right now. If possible, could you provide a small packet capture one or more of these streams?

New Member

Re: TCP Segment Overwrites - False Positives?

We have investigated the packet traces we have from the other customer. It appears there might be a problem with a microsoft stack. The trace we have shows an IE browser hitting an IIS server. There is a legit overwrite of one byte that the IDS is correctly identifying. The traffic we have also does not appear to be an attack. It looks more like a broken TCP stack. The TCP session seems to hang and eventually RST are sent to close it. We are trying to reproduce this in our lab so that we can notify our customers as well as let Microsoft know. If you can provide details on OS type and patch level of both the client and server it would help.

At this point I would say that the alarm is not a false positive, however in the case we have seen it is identifying a broken stack and not a new attack tool.

--Mike

New Member

Re: TCP Segment Overwrites - False Positives?

The client that is causing most of the alarms is a Win2K machine with SP2. The server is a Win2K system with SP3a running SQL server. I have done a packet capture that should include one of the events. How would be the best way to send it to you if you still want it?

Cisco Employee

Re: TCP Segment Overwrites - False Positives?

You can send the capture to either mlhall@cisco.com or klwiley@cisco.com. Thank you for your assistance as we try to figure out what is causing this behavior.

202
Views
3
Helpful
4
Replies