3 Replies Latest reply on Aug 29, 2014 11:43 AM by jolson

    How to tune TCP Control Segment Anomaly in NSP

    layer0

      Hello Everyone.

       

      I see a lot of alerts "TCP Control Segment Anomaly" and i need your help to understand it.

       

      First of all, the alert does not show any IP adress or valuable information.

       

      Second. This type of alert cannot be blockc, it says "Bidirectional DOS Learning attacks are not blockable". why?

       

      Third. The description says """"If this event is correlated with another event such as TCP SYN or FIN Volume Too High, it should provide you with a more accurate understanding of the current event. If this alert is accompanied by a "TCP SYN or FIN Volume Too High" alert, you are likely under a SYN or FIN flood attack; If this alert is seen without the "TCP SYN or FIN Volume Too High" alert, there could be a sudden change in the network routes or some TCP-based servers may become slow.""""

       

      Is there anyway that i can correlate automatically this alert with the other mentionated before? Is there a way to know the root cause of so many triggered alerts? how can i tune this alert?

       

      Thanks.

        • 1. Re: How to tune TCP Control Segment Anomaly in NSP

          It might be worth reviewing the 'Denial-of-Service attacks' starting on Chapter 17 of the following document:

          IPS 8.1 Administration Guide

           

          Essentially, for the first 48 hours of a Sensors life

           

          Per the manual:

          A new Sensor runs for its first 48 hours in learning mode. After 48 hours, the Sensor automatically

          changes to detection mode, having established a baseline of the

          normal

          traffic pattern for the

          network, or a long-term profile. The assumption is that there are no DoS attacks during those first 48

          hours.

           

          Essentially the Sensor is determining a 'normal' baseline of anomalous numbers of TCP control segments (TCP SYN, SYN ACK, and FIN) on your network. Once this baseline is discovered, the DoS functionality can begin acting on traffic based on statistical deviation - for instance if the number of anomalous TCP control segments is 20% higher one day than the baseline, it's likely a DoS attack and you're capable of being alerted.

           

          You can view more detailed information in the 'Analysis > Threat Explorer' area of your Manager - I recommend consulting the guide I linked above for additional information.

           

          Best,

           

           

           

          Jesse Olson

          Technical Support Engineer

          McAfee. Part of Intel Security.

          • 2. Re: How to tune TCP Control Segment Anomaly in NSP
            layer0

            Thank you jolson, now i understand more about this alert, one pending question, can this alert be correlated with another one?.

            • 3. Re: How to tune TCP Control Segment Anomaly in NSP

              Regarding correlating alerts, the document you examined is suggesting that if you're experiencing an issue, navigate to the Analysis > Threat Explorer option in the Manager. Any alerts that show in this area you may be able to correlate with one another to help narrow the scope of what may be happening. There is nothing on the NSM that will automatically correlate attacks for you, that process is very environment dependent and therefore must be done by someone with experience and expertise with the network in question.

               

              Best,

               

               

               

              Jesse Olson

              Technical Support Engineer

              McAfee. Part of Intel Security.