I am recently taking over an existing Tippingpoint installation that has been extreamly poortly managed. Trying to reconfigure and organize the deployment. It is pretty small (about 5 110s and 3 10s with the SMS.)
I am seeing an excessive amount of event 7120 "TCP: Segment overlap With Different Data, e.g. Fragroute". Almost exclusively on HTTP port 80 traffic. Going to the IPs listed shows normal, everyday websites (google, amazon etc). the event is currently set to "Block and Notify"
Is this a valid event to Block, is this identifying an issue on our network, could this just be something in our network configuration that changes a packet header? The event currently is useless, and I would like to turn it off if justified so I can focus on other events.
Thanks