Hi, sj
you see this alert so often or just once ?
Refer to the link below, seems no action is needed...
http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=1306&si
gnatureSubId=0&softwareVersion=6.0&releaseVersion=S272
Shogo
On Tue, May 4, 2010 at 5:42 AM, Steven Jenkins
<steven.jenkins72_at_yahoo.com>wrote:
> Hey all,
>
> I have tried to research this on Cisco's site, but haven't come up
> with much ...
>
> Should I be concerned about the IPS alert below ... or is it
> just standard when there are TCP options set ... and need to tune out as a
> flase positive?
>
> Any insigts appreciated,
> sj
>
>
>
>
>
> Event ID
> 1271809429156608952
> Severity low
> Host ID IPS
> Application Name sensorApp
> Event Time 05/03/2010 16:34:05
> Sensor Local Time 05/03/2010 15:34:05
> Signature ID 1306
> Signature Sub-ID 0
> Signature Name TCP Option Other
> Signature Version S272
> Signature Details TCP Option Other Detected
> Interface
> Group vs0
> VLAN ID 313
> Interface ge0_7
> Attacker IP 10.88.0.26
> Protocol tcp
> Attacker Port 2052
> Attacker Locality Internal
> Target IP 10.15.113.252
> Target Port 80
> Target Locality Internal
> Target OS unknown unknown (relevant)
> Actions
> Risk Rating TVR=medium ARR=relevant
> Risk Rating Value 60
> Threat
> Rating 60
> Reputation
>
> Ether: ---- Ethernet2 OSI=2 Frame
> #1 Captured on 2010-05-03 16:34:05.964 ----
> Ether:
> Ether: dst =
> 2:bf:a:f:71:fc
> Ether: src = 0:7:b3:d1:a0:80
> Ether: proto = 0x8100 "(VLAN)
> IEEE 802.1q"
> Ether:
> VLAN: ---- IEEE802dot1q IEEE=802.1q OSI=2 ----
> VLAN:
> VLAN: flags = 0000000100111001 313
> VLAN: 000............. 0x0 =
> [priority]
> VLAN: ...0............ 0x0 = [cfi]
> VLAN:
> ....000100111001 313 = [id]
> VLAN: type = 0x800 "(IP) Internet protocol (v4
> or v6)"
> VLAN:
> IPv4: ---- IPv4 RFC=791 OSI=3 ----
> IPv4:
> IPv4: ver = 4
> "Internet Protocol version 4"
> IPv4: hlen = 5 (20 bytes) "No IP options
> present"
> IPv4: tos = 00000000 0x0
> IPv4: 000..... 0x0 =
> [precedence] "Routine"
> IPv4: ...0.... 0x0 = [delay] "Normal delay"
> IPv4: ....0... 0x0 = [throughput] "Normal throughput"
> IPv4: .....0.. 0x0 = [reliability] "Normal reliability"
> IPv4: ......00 0x0 = [reserved]
> IPv4: len = 60 (40 bytes of
> data)
> IPv4: id = 0xb46a
> IPv4: flags = 010 0x2 (bit fields)
> IPv4: 0.. 0x0 = [reserved]
> IPv4: .1. 0x1 = [df] "Do not
> fragment"
> IPv4: ..0 0x0 = [mf] "no more fragments"
> IPv4: offset
> = 0 (0 bytes)
> IPv4: ttl = 123 (hops)
> IPv4: protocol = 6 "(TCP)
> Transmition Control Protocol (RFC793)"
> IPv4: checksum = 0xc4d4
> IPv4: saddr
> = 10.88.0.26
> IPv4: daddr = 10.15.113.252
> IPv4:
> TCP: ---- TCP RFC=793
> OSI=4 ----
> TCP:
> TCP: sport = 2052
> TCP: dport = 80
> TCP: seq = 476818508
> TCP: ack = 0
> TCP: hlen = 10 (40 bytes)
> TCP: res = 0
> TCP: code =
> 000010 0x2
> TCP: 0..... 0x0 = [urg]
> TCP: .0.... 0x0 = [ack]
> TCP: ..0... 0x0 = [psh]
> TCP: ...0.. 0x0 = [rst]
> TCP:
> ....1. 0x1 = [syn] "Syncronize Sequence Numbers"
> TCP: .....0 0x0 =
> [fin]
> TCP: win = 64512 (bytes)
> TCP: crc = 0x59c1 (CRC-16)
> TCP: urg =
> 0 (byte offset)
> TCP:
> TCP: Options: (20 bytes)
> TCP: Opt #1: Maximum Segment
> Size(2) = 1460
> TCP: Opt #2: NOP(1) skipped 1 byte
> TCP: Opt #3: NOP(1)
> skipped 1 byte
> TCP: Opt #4: SACK Premitted(4)
> TCP: Opt #5: {''
> size=-1)(33)TCP: len = 12 (bytes)
> TCP: value =
> 25.244.206.70.195.121.212.7.5.0
> TCP:
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>