Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Sapphire

Attack detected by IPS: TCP Urgent Data Enforcement

Testing the WatchTower App, Statistics page started showing a strange attack:

UrgentData.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

But IPS Protections do not include this attack ! But we have an SK to the rescue: sk36869 "TCP segment with urgent pointer. Urgent data indication was stripped. Please refer to sk36869." log in SmartView Tracker / SmartLog

This includes a hint for Locally Managed 600 / 700 / 1100 / 1200R / 1400 appliances - and look where this is hidden:

TCP streaming engine.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

It is the TCP streaming engine, stupid 😅 !

0 Kudos
1 Reply
Highlighted
Admin
Admin

As you probably know, some IPS signatures are actually lower-level firewall checks.
On regular R80.x gateways, these would be in Inspection Settings or even Core Protections.
0 Kudos