Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ombudszoe
New Contributor

Why using Webex triggers Snort.TCP.SACK.Option.DoS IPS alert?

Hello!

Does anyone know why participating in a Webex meeting would trigger Snort.TCP.SACK.Option.DoS. alerts?
It's weird that whenever my colleagues in China use Webex meetings, the firewall sends such alerts. But colleagues in other countries had never triggered these alerts.

 

Message as below:

Message meets Alert condition
The following intrusion was observed: Snort.TCP.SACK.Option.DoS.
devid=FGT80ETK19013926 eventtime=1700546688481956986 tz="+0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="low" srcip=192.168.120.24 srccountry="Reserved" dstip=173.243.0.86 dstcountry="United States" srcintf="port1" srcintfrole="undefined" dstintf="wan1" dstintfrole="undefined" sessionid=166589540 action="dropped" proto=6 service="SSL" policyid=23 attack="Snort.TCP.SACK.Option.DoS" srcport=32860 dstport=443 hostname="tsa.webex.com" url="/" direction="incoming" attackid=17562 profile="fw_prof_upg_strict" ref="http://www.fortinet.com/ids/VID17562" incidentserialno=94388018 msg="protocol_decoder: Snort.TCP.SACK.Option.DoS" crscore=5 craction=32768 crlevel="low"

 


I know how to whitelist these alerts, but I'm curious why they were triggered.

Thanks in advance!

1 REPLY 1
DPadula
Staff
Staff

Hi

According to https://www.fortiguard.com/encyclopedia/ips/17562 it seems that the SACK option is part of a small length TCP packet from the traffic coming from China. 


If you can do an capture of the webex traffic from China and also from another country we could compare both to understand the differences (probably the length). 

Top Kudoed Authors