TCP other option detected from Steven Jenkins on 2010-05-03 (Ccielab archives 05/2010)

From: Steven Jenkins <steven.jenkins72_at_yahoo.com>
Date: Mon, 3 May 2010 13:42:39 -0700 (PDT)

Hey all,

I have tried to research this on Cisco's site, but haven't come up
with much ...

Should I be concerned about the IPS alert below ... or is it
just standard when there are TCP options set ... and need to tune out as a
flase positive?

Any insigts appreciated,
sj

Event ID
1271809429156608952
Severity low
Host ID IPS
Application Name sensorApp
Event Time 05/03/2010 16:34:05
Sensor Local Time 05/03/2010 15:34:05
Signature ID 1306
Signature Sub-ID 0
Signature Name TCP Option Other
Signature Version S272
Signature Details TCP Option Other Detected
Interface
Group vs0
VLAN ID 313
Interface ge0_7
Attacker IP 10.88.0.26
Protocol tcp
Attacker Port 2052
Attacker Locality Internal
Target IP 10.15.113.252
Target Port 80
Target Locality Internal
Target OS unknown unknown (relevant)
Actions
Risk Rating TVR=medium ARR=relevant
Risk Rating Value 60
Threat
Rating 60
Reputation

Ether: ---- Ethernet2 OSI=2 Frame
#1 Captured on 2010-05-03 16:34:05.964 ----
Ether:
Ether: dst =
2:bf:a:f:71:fc
Ether: src = 0:7:b3:d1:a0:80
Ether: proto = 0x8100 "(VLAN)
IEEE 802.1q"
Ether:
VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----
VLAN:
VLAN: flags = 0000000100111001 313
VLAN: 000............. 0x0 =
[priority]
VLAN: ...0............ 0x0 = [cfi]
VLAN:
....000100111001 313 = [id]
VLAN: type = 0x800 "(IP) Internet protocol (v4
or v6)"
VLAN:
IPv4: ---- IPv4 RFC=791 OSI=3 ----
IPv4:
IPv4: ver = 4
"Internet Protocol version 4"
IPv4: hlen = 5 (20 bytes) "No IP options
present"
IPv4: tos = 00000000 0x0
IPv4: 000..... 0x0 =
[precedence] "Routine"
IPv4: ...0.... 0x0 = [delay] "Normal delay"
IPv4: ....0... 0x0 = [throughput] "Normal throughput"
IPv4: .....0.. 0x0 = [reliability] "Normal reliability"
IPv4: ......00 0x0 = [reserved]
IPv4: len = 60 (40 bytes of
data)
IPv4: id = 0xb46a
IPv4: flags = 010 0x2 (bit fields)
IPv4: 0.. 0x0 = [reserved]
IPv4: .1. 0x1 = [df] "Do not
fragment"
IPv4: ..0 0x0 = [mf] "no more fragments"
IPv4: offset
= 0 (0 bytes)
IPv4: ttl = 123 (hops)
IPv4: protocol = 6 "(TCP)
Transmition Control Protocol (RFC793)"
IPv4: checksum = 0xc4d4
IPv4: saddr
= 10.88.0.26
IPv4: daddr = 10.15.113.252
IPv4:
TCP: ---- TCP RFC=793
OSI=4 ----
TCP:
TCP: sport = 2052
TCP: dport = 80
TCP: seq = 476818508
TCP: ack = 0
TCP: hlen = 10 (40 bytes)
TCP: res = 0
TCP: code =
000010 0x2
TCP: 0..... 0x0 = [urg]
TCP: .0.... 0x0 = [ack]
TCP: ..0... 0x0 = [psh]
TCP: ...0.. 0x0 = [rst]
TCP:
....1. 0x1 = [syn] "Syncronize Sequence Numbers"
TCP: .....0 0x0 =
[fin]
TCP: win = 64512 (bytes)
TCP: crc = 0x59c1 (CRC-16)
TCP: urg =
0 (byte offset)
TCP:
TCP: Options: (20 bytes)
TCP: Opt #1: Maximum Segment
Size(2) = 1460
TCP: Opt #2: NOP(1) skipped 1 byte
TCP: Opt #3: NOP(1)
skipped 1 byte
TCP: Opt #4: SACK Premitted(4)
TCP: Opt #5: {''
size=-1)(33)TCP: len = 12 (bytes)
TCP: value =
25.244.206.70.195.121.212.7.5.0
TCP:

Blogs and organic groups at http://www.ccie.net
Received on Mon May 03 2010 - 13:42:39 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART