Filter 7120 false positives with Windows TCP keepalives

recallscottwalk — Thu, 31 Mar 2011 16:55:43 GMT

Have a question about the following filter, which we're seeing a lot of false positives on:

7120: TCP: Segment Overlap With Different Data, e.g., Fragroute

The description for the filter says that it does not include the one garbage octet for TCP keepalives, but it appears that it is indeed firing for Windows TCP keepalive messages. Packet traces I've taken show that the sequence number of the keep-alive packet is one less than the current sequence number, with 0x00 as the payload. Yet filter 7120 still fires for that packet.

Is this confirmed to be a problem? Will most likely disable this rule, but wanted to see if there was a fix.

Thanks in advance,

Mike

Re: Filter 7120 false positives with Windows TCP keepalives

Dan Nelson_6 — Thu, 14 Jul 2011 18:17:01 GMT

Yes, filter 7120 isn't very good. They tried to fix it again in June ( http://threatlinq.tippingpoint.com/blog/?p=2095 ) but it didn't help. Just disable it.

topic Re: Filter 7120 false positives with Windows TCP keepalives in Security e-Series

Filter 7120 false positives with Windows TCP keepalives

Re: Filter 7120 false positives with Windows TCP keepalives