Video Screencast Help

TCP Segment Overwrite Events

Created: 07 Apr 2013 • Updated: 14 May 2013 | 6 comments
Mohammad Ashkaibi's picture
This issue has been solved. See solution.

Hello PGP experts,

I'm seeing a whooping number of events on my external Cisco IPS related to TCP Segment Overwrite events. The first party in such events is my PGP Gateway Email, and the other party will always be an external mail server. Sometimes my PGP server is the source and other times it is the target.

Could someone help me out? Any thoughts are appreciated.

 

Thanks in advance.

Comments 6 CommentsJump to latest comment

Alex_CST's picture

If your IPS appliance is being sent streams from multiple sources and that traffic traverses more than one of those sources, it could be viewed by the cisco box as duplicate segments when infact its just 2 copies of the same traffic going to the IPS.  Does that apply in your case?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Mohammad Ashkaibi's picture

Thanks for replying Alex, but could you elaborate more on this please? How would a sender's traffic traverse another sender?

Alex_CST's picture

Well, is that IPS box on the edge of the network ?  I would expect traffic to go to and from the universal server.  It can be viewed as malicious if it shouldn't be doing that, but the liklyhood of the Universal Server to be compromised is very very unlikely.  It's hardened a lot to make sure it can just sit there doing what its told to do.  Is your universal serverin the DMZ?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Mohammad Ashkaibi's picture

Yes, the PGP Universal is in the DMZ, and the IPS box is between the edge router and the external firewall. Does this mean that most probably it is a bunch of false positives (that I can simply ignore)? Thanks.

Alex_CST's picture

Most likely, you can track the time and date stamps on the IPS box and see if there is a pattern on the mail going out of the PGP box, but other than that - its probably safe to ignore

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

SOLUTION
Mohammad Ashkaibi's picture

You were absolutely right, Alex. It was a temporary issue and now it's gone. I don't know exactly what was going on, but consulting my local Cisco IPS provider made me more confident those were just false positives. Thank you.

 

-Moh-