Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TCP Segment Overwrites (Sig 1300) - Causes?

I recently saw a number of hits against Signature 1300 - TCP Segment Overwrite. I am trying to figure out what could cause this condition. Has anyone else seen this in a normal connection?

Regards,

Chad

6 REPLIES
Silver

Re: TCP Segment Overwrites (Sig 1300) - Causes?

Only if the retransmitted data overwrites a different segment, sig 1300 alarms. Check that out...

Community Member

Re: TCP Segment Overwrites (Sig 1300) - Causes?

I have several packet traces from several customers that see this alert. There appears to be a bug in the microsoft TCP stack when connections go stale. What happens is that the last successful segment's last byte is resent with a value of 0xff. This is after the other endhost has ACK'ed the sequence from the last segments.

So for example.

a->b seq=100 data="ABCDEFG"

b->a ack=107 no data

a->b seq=106 data="(0xff)"

The last packet in the example is overwriting the G in the first packet with an 0xff. This causes the IDS to fire. We are working on detecting this stack bug in a new version.

Community Member

Re: TCP Segment Overwrites (Sig 1300) - Causes?

I have a few traces to run through from the sensor.

Thanks for giving me somewhere to start looking.

Regards,

Chad

Community Member

Re: TCP Segment Overwrites (Sig 1300) - Causes?

After further investigation I have found that there is an older implementation of TCP keepalives dating back to BSD 4.2 days where the keepalive does hold garbage data. Microsoft's stack was based on some of this older BSD code and therefore shows this behavior. So we have concluded that there is no stack bug in Microsoft's TCP stack. They are just doing something that most stacks do not.

We now know the problem and I will be committing a fix for v4.1.4 of the IDS. It will safely ignore an overwrite if it is a single byte one byte back in the sequence and both ends of the TCP connection have already ack'ed the byte.

Sorry for the delay in solving this problem for you all. If you have lowered the sev or filtered 1300 I would recommend setting your filters and severity back to default after upgrading to v4.1.4.

Community Member

Re: TCP Segment Overwrites (Sig 1300) - Causes?

And when is 4.1.4 due out?

Cisco Employee

Re: TCP Segment Overwrites (Sig 1300) - Causes?

4.1(4) has not been officially scheduled for release as yet. So we can not give a date for you. However there will be a 4.1(3d) patch made available that will include this fix in the next two weeks.

KLW

222
Views
5
Helpful
6
Replies
CreatePlease to create content