Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Event 7120 issues

This thread has been viewed 0 times
  • 1.  Event 7120 issues

    Posted Nov 15, 2012 04:34 PM

    I am recently taking over an existing Tippingpoint installation that has been extreamly poortly managed.  Trying to reconfigure and organize the deployment.  It is pretty small (about 5 110s and 3 10s with the SMS.)

     

    I am seeing an excessive amount of event 7120 "TCP:  Segment overlap With Different Data, e.g. Fragroute".  Almost exclusively on HTTP port 80 traffic.  Going to the IPs listed shows normal, everyday websites (google, amazon etc).  the event is currently set to "Block and Notify"

     

    Is this a valid event to Block, is this identifying an issue on our network, could this just be something in our network configuration that changes a packet header?  The event currently is useless, and I would like to turn it off if justified so I can focus on other events.

     

    Thanks



  • 2.  RE: Event 7120 issues

    Posted Nov 16, 2012 09:54 AM

    Tracking this down a little more - it seems to be related to Google Chrome.  Only our Chrome users are creating these events, other browsers don't.  Anyone?  Should this event be removed, is it creating user problems?


    #chrome


  • 3.  RE: Event 7120 issues

    Posted Nov 26, 2012 02:06 PM

    What TOS version are the IPS running?  New versions of the software made improvements that made this filter more accurate and fire less due to the improvements.



  • 4.  RE: Event 7120 issues

    Posted Jul 09, 2013 08:24 AM

    Although 7120 seems to be better than it was in the past, this filter is triggered by valid traffic frequently in almost every deployement we run into.  What are we missing with this filter disabled?  The followup question to that would be why it's still enabled by default?

     

    It's really not that big of deal for our clients as we just disable it. But I can see how it could be cnfusing for new customers.

     



  • 5.  RE: Event 7120 issues

    Posted Jul 16, 2013 02:47 AM
    This activity itself is not an attack, but in conjunction with other activity it is either evidence of malicious intent or malfunctioning network equipment