Re: Filter 7120 false positives with Windows TCP keepalives

recallscottwalk · ‎03-31-2011

Have a question about the following filter, which we're seeing a lot of false positives on:

7120: TCP: Segment Overlap With Different Data, e.g., Fragroute

The description for the filter says that it does not include the one garbage octet for TCP keepalives, but it appears that it is indeed firing for Windows TCP keepalive messages. Packet traces I've taken show that the sequence number of the keep-alive packet is one less than the current sequence number, with 0x00 as the payload. Yet filter 7120 still fires for that packet.

Is this confirmed to be a problem? Will most likely disable this rule, but wanted to see if there was a fix.

Thanks in advance,

Mike

Dan Nelson_6 · ‎07-14-2011

Yes, filter 7120 isn't very good. They tried to fix it again in June ( http://threatlinq.tippingpoint.com/blog/?p=2095 ) but it didn't help. Just disable it.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Filter 7120 false positives with Windows TCP keepalives

Filter 7120 false positives with Windows TCP keepalives

Re: Filter 7120 false positives with Windows TCP keepalives